cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1112
Views
0
Helpful
8
Replies

Site-to-Site with NATing

kumarsundaram
Level 1
Level 1

Hello All,

I am kind of new to Cisco and I have no CLI expertise. I need to setup a site-to-site VPN (IPsec tunnel) with NATing. I have previously setup several L2L using ASDM with no problem, none required NATing.  Here is the scenario:

Site1 uses 192.168.1.0/24 for all internal clients who will be connecting to two hosts on Site2.

Site1 users need to access Site2 hosts namely 192.168.25.100 and 192.168.25.101

Site2 already has a L2L with another site setup for the range 192.168.1.0/24, thus they asked if I can NAT the traffic coming out on my end to 172.10.25.0/24.

Thus all clients on 192.168.1.0/24 connecting through only this VPNtunnel from Site1 to Site2 needs to be NATed to 172.10.25.0/24 (one to one?).  Now, I wonder if this can be done through ASDM and if so how? I am guessing I need to do this in two steps, 1) setup the L2L using the Wizard 2) Setup all necessary NAT and ACL.   I am running Cisco ASA 5510. ver 7.2.  If not, what are the exact commands for CLI?  Again, this NATing is only for this VPN tunnel and I don't want Site1 users (192.168.1.0/24) to be affected for other VPN L2L thats already setup and anything related to internal.

Thank you in advance for any help/suggestions.

1 Accepted Solution

Accepted Solutions

Yes, you are absolutely correct with all the 3 statements.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

Yes you can...

Here is the NAT:

access-list nat-for-site2-vpn permit ip 192.168.1.0 255.255.255.0 host 192.168.25.100

access-list nat-for-site2-vpn permit ip 192.168.1.0 255.255.255.0 host 192.168.25.101

static (inside,outside) 172.10.25.0 access-list nat-for-site2-vpn

NB: assuming that your inside network is named "inside" and outside is named "outside".

Then the crypto ACL for the vpn will say:

access-list permit ip 172.10.25.0 255.255.255.0 192.168.25.100

access-list permit ip 172.10.25.0 255.255.255.0 192.168.25.101

Hope that helps.

kumarsundaram
Level 1
Level 1

Thank you, Jennifer. I also stumpled upon another similar reference http://psinfotech.blogspot.ca/2009/06/how-to-nat-vpn-traffic-on-cisco-asa.html .  What does the "global" command do?  On what you showed me the "global" is missing... and could you please describe what exactly the following command does?

static (inside,outside) 172.10.25.0 access-list nat-for-site2-vpn

"Global" command is paired if you have "Nat" statement. As an example:

nat (inside) 2 access-list nat-for-site2-vpn

global (outside) 2 172.10.25.1

However, notice that you can't perform 1:1 translation with the above nat/global pair, and also the direction of the translation is only outbound, not both direction.

With the static command that i provided earlier, you will get translation in both direction, ie: both sides can initiate the connection, and it is 1:1 translation, means:

192.168.1.1 will be translated to 172.10.25.1

192.168.1.15 will be translated to 172.10.25.15

and so on...

Jennifer,

I have setup the ACL and the VPN tunnel. But, I made a mistake of giving you the public IP range 172.10.25.0 in my example.  The party that we are trying to connect to asked me to NAT the internal PRIVATE ip range: 172.19.10.0/24 .  So, does anything change now in the static(INSIDE,OUTSIDE) statement you have shown before?

This is what I have so far:

access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB

       After entering the above command, when I say

static (inside,outside) 172.19.10.0 access-list INSIDE_nat0_outbound

     I get the following error: ERROR: access-list used in static has different local address

Crypto ACL for the VPN:

access-list OUTSIDE_100_cryptomap permit ip 172.19.10.0 255.255.255.0 object-group SiteB

Sorry.. if I confused you. Here is the scenario again: our Internal IP range is 192.168.1.0/24 trying to access couple of hosts (192.168.25.100 & 101) on siteB through NAT 172.19.10.0/24, so all traffic reaching siteB should appear as if they are coming from 172.19.10.0/24 not 192.168.1.0/24.

Are you using "INSIDE_nat0_outbound" for NAT 0 access-list? if you do, pls remove that line as the access-list for the static NAT can't exist in your NAT exemption access-list.

And for the static access-list, pls use a different name access-list.

Thank you.  Yes, there exist an entry in the running config: nat (INSIDE) 0 access-list INSIDE_nat0_outbound   So, I suppose yes we are using "INSIDE_nat0_outbound" for NAT 0 access-list.

If I understood correctly you are saying that I remove the following line:

access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB

and create a new access list name like the one shown below and NAT it?

access-list nat_to_siteb extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB

static (INSIDE,OUTSIDE) 172.19.10.0 access-list nat_to_siteb

First line helps dictate that any IP from 192.168.1.0 going to any IP specified on the object-group will be NATed. Right?

Second line translates what ever IP that passes on the nat_to_siteb ACL to my targeted private address range of 172.19.10.0. From what I understood?

Yes, you are absolutely correct with all the 3 statements.

Got it working!  Thanks so much for your help, Jennifer. 

I removed the line you suggested and re-added the two new lines with a new access list name. I also learned that the access-list for "cryptomap" has to come after the line for  access-list for NATing.  Thank you again!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: