08-29-2012 08:29 AM
Hello All,
I am kind of new to Cisco and I have no CLI expertise. I need to setup a site-to-site VPN (IPsec tunnel) with NATing. I have previously setup several L2L using ASDM with no problem, none required NATing. Here is the scenario:
Site1 uses 192.168.1.0/24 for all internal clients who will be connecting to two hosts on Site2.
Site1 users need to access Site2 hosts namely 192.168.25.100 and 192.168.25.101
Site2 already has a L2L with another site setup for the range 192.168.1.0/24, thus they asked if I can NAT the traffic coming out on my end to 172.10.25.0/24.
Thus all clients on 192.168.1.0/24 connecting through only this VPNtunnel from Site1 to Site2 needs to be NATed to 172.10.25.0/24 (one to one?). Now, I wonder if this can be done through ASDM and if so how? I am guessing I need to do this in two steps, 1) setup the L2L using the Wizard 2) Setup all necessary NAT and ACL. I am running Cisco ASA 5510. ver 7.2. If not, what are the exact commands for CLI? Again, this NATing is only for this VPN tunnel and I don't want Site1 users (192.168.1.0/24) to be affected for other VPN L2L thats already setup and anything related to internal.
Thank you in advance for any help/suggestions.
Solved! Go to Solution.
09-04-2012 10:34 PM
Yes, you are absolutely correct with all the 3 statements.
08-30-2012 06:50 AM
Yes you can...
Here is the NAT:
access-list nat-for-site2-vpn permit ip 192.168.1.0 255.255.255.0 host 192.168.25.100
access-list nat-for-site2-vpn permit ip 192.168.1.0 255.255.255.0 host 192.168.25.101
static (inside,outside) 172.10.25.0 access-list nat-for-site2-vpn
NB: assuming that your inside network is named "inside" and outside is named "outside".
Then the crypto ACL for the vpn will say:
access-list
access-list
Hope that helps.
08-30-2012 12:04 PM
Thank you, Jennifer. I also stumpled upon another similar reference http://psinfotech.blogspot.ca/2009/06/how-to-nat-vpn-traffic-on-cisco-asa.html . What does the "global" command do? On what you showed me the "global" is missing... and could you please describe what exactly the following command does?
static (inside,outside) 172.10.25.0 access-list nat-for-site2-vpn
08-30-2012 07:55 PM
"Global" command is paired if you have "Nat" statement. As an example:
nat (inside) 2 access-list nat-for-site2-vpn
global (outside) 2 172.10.25.1
However, notice that you can't perform 1:1 translation with the above nat/global pair, and also the direction of the translation is only outbound, not both direction.
With the static command that i provided earlier, you will get translation in both direction, ie: both sides can initiate the connection, and it is 1:1 translation, means:
192.168.1.1 will be translated to 172.10.25.1
192.168.1.15 will be translated to 172.10.25.15
and so on...
09-04-2012 12:52 PM
Jennifer,
I have setup the ACL and the VPN tunnel. But, I made a mistake of giving you the public IP range 172.10.25.0 in my example. The party that we are trying to connect to asked me to NAT the internal PRIVATE ip range: 172.19.10.0/24 . So, does anything change now in the static(INSIDE,OUTSIDE) statement you have shown before?
This is what I have so far:
access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB
After entering the above command, when I say
static (inside,outside) 172.19.10.0 access-list INSIDE_nat0_outbound
I get the following error: ERROR: access-list used in static has different local address
Crypto ACL for the VPN:
access-list OUTSIDE_100_cryptomap permit ip 172.19.10.0 255.255.255.0 object-group SiteB
Sorry.. if I confused you. Here is the scenario again: our Internal IP range is 192.168.1.0/24 trying to access couple of hosts (192.168.25.100 & 101) on siteB through NAT 172.19.10.0/24, so all traffic reaching siteB should appear as if they are coming from 172.19.10.0/24 not 192.168.1.0/24.
09-04-2012 01:09 PM
Are you using "INSIDE_nat0_outbound" for NAT 0 access-list? if you do, pls remove that line as the access-list for the static NAT can't exist in your NAT exemption access-list.
And for the static access-list, pls use a different name access-list.
09-04-2012 01:44 PM
Thank you. Yes, there exist an entry in the running config: nat (INSIDE) 0 access-list INSIDE_nat0_outbound So, I suppose yes we are using "INSIDE_nat0_outbound" for NAT 0 access-list.
If I understood correctly you are saying that I remove the following line:
access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB
and create a new access list name like the one shown below and NAT it?
access-list nat_to_siteb extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB
static (INSIDE,OUTSIDE) 172.19.10.0 access-list nat_to_siteb
First line helps dictate that any IP from 192.168.1.0 going to any IP specified on the object-group will be NATed. Right?
Second line translates what ever IP that passes on the nat_to_siteb ACL to my targeted private address range of 172.19.10.0. From what I understood?
09-04-2012 10:34 PM
Yes, you are absolutely correct with all the 3 statements.
09-05-2012 08:46 AM
Got it working! Thanks so much for your help, Jennifer.
I removed the line you suggested and re-added the two new lines with a new access list name. I also learned that the access-list for "cryptomap" has to come after the line for access-list for NATing. Thank you again!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide