Solved: Re: Site-to-Site with NATing

kumarsundaram · ‎08-29-2012

Hello All,

I am kind of new to Cisco and I have no CLI expertise. I need to setup a site-to-site VPN (IPsec tunnel) with NATing. I have previously setup several L2L using ASDM with no problem, none required NATing. Here is the scenario:

Site1 uses 192.168.1.0/24 for all internal clients who will be connecting to two hosts on Site2.

Site1 users need to access Site2 hosts namely 192.168.25.100 and 192.168.25.101

Site2 already has a L2L with another site setup for the range 192.168.1.0/24, thus they asked if I can NAT the traffic coming out on my end to 172.10.25.0/24.

Thus all clients on 192.168.1.0/24 connecting through only this VPNtunnel from Site1 to Site2 needs to be NATed to 172.10.25.0/24 (one to one?). Now, I wonder if this can be done through ASDM and if so how? I am guessing I need to do this in two steps, 1) setup the L2L using the Wizard 2) Setup all necessary NAT and ACL. I am running Cisco ASA 5510. ver 7.2. If not, what are the exact commands for CLI? Again, this NATing is only for this VPN tunnel and I don't want Site1 users (192.168.1.0/24) to be affected for other VPN L2L thats already setup and anything related to internal.

Thank you in advance for any help/suggestions.

Jennifer Halim · ‎09-04-2012

Yes, you are absolutely correct with all the 3 statements.

View solution in original post

Jennifer Halim · ‎08-30-2012

Yes you can...

Here is the NAT:

access-list nat-for-site2-vpn permit ip 192.168.1.0 255.255.255.0 host 192.168.25.100

access-list nat-for-site2-vpn permit ip 192.168.1.0 255.255.255.0 host 192.168.25.101

static (inside,outside) 172.10.25.0 access-list nat-for-site2-vpn

NB: assuming that your inside network is named "inside" and outside is named "outside".

Then the crypto ACL for the vpn will say:

access-list permit ip 172.10.25.0 255.255.255.0 192.168.25.100

access-list permit ip 172.10.25.0 255.255.255.0 192.168.25.101

Hope that helps.

kumarsundaram · ‎08-30-2012

Thank you, Jennifer. I also stumpled upon another similar reference http://psinfotech.blogspot.ca/2009/06/how-to-nat-vpn-traffic-on-cisco-asa.html . What does the "global" command do? On what you showed me the "global" is missing... and could you please describe what exactly the following command does?

static (inside,outside) 172.10.25.0 access-list nat-for-site2-vpn

Jennifer Halim · ‎08-30-2012

"Global" command is paired if you have "Nat" statement. As an example:

nat (inside) 2 access-list nat-for-site2-vpn

global (outside) 2 172.10.25.1

However, notice that you can't perform 1:1 translation with the above nat/global pair, and also the direction of the translation is only outbound, not both direction.

With the static command that i provided earlier, you will get translation in both direction, ie: both sides can initiate the connection, and it is 1:1 translation, means:

192.168.1.1 will be translated to 172.10.25.1

192.168.1.15 will be translated to 172.10.25.15

and so on...

kumarsundaram · ‎09-04-2012

Jennifer,

I have setup the ACL and the VPN tunnel. But, I made a mistake of giving you the public IP range 172.10.25.0 in my example. The party that we are trying to connect to asked me to NAT the internal PRIVATE ip range: 172.19.10.0/24 . So, does anything change now in the static(INSIDE,OUTSIDE) statement you have shown before?

This is what I have so far:

access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB

After entering the above command, when I say

static (inside,outside) 172.19.10.0 access-list INSIDE_nat0_outbound

I get the following error: ERROR: access-list used in static has different local address

Crypto ACL for the VPN:

access-list OUTSIDE_100_cryptomap permit ip 172.19.10.0 255.255.255.0 object-group SiteB

Sorry.. if I confused you. Here is the scenario again: our Internal IP range is 192.168.1.0/24 trying to access couple of hosts (192.168.25.100 & 101) on siteB through NAT 172.19.10.0/24, so all traffic reaching siteB should appear as if they are coming from 172.19.10.0/24 not 192.168.1.0/24.

Jennifer Halim · ‎09-04-2012

Are you using "INSIDE_nat0_outbound" for NAT 0 access-list? if you do, pls remove that line as the access-list for the static NAT can't exist in your NAT exemption access-list.

And for the static access-list, pls use a different name access-list.

kumarsundaram · ‎09-04-2012

Thank you. Yes, there exist an entry in the running config: nat (INSIDE) 0 access-list INSIDE_nat0_outbound So, I suppose yes we are using "INSIDE_nat0_outbound" for NAT 0 access-list.

If I understood correctly you are saying that I remove the following line:

access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB

and create a new access list name like the one shown below and NAT it?

access-list nat_to_siteb extended permit ip 192.168.1.0 255.255.255.0 object-group SiteB

static (INSIDE,OUTSIDE) 172.19.10.0 access-list nat_to_siteb

First line helps dictate that any IP from 192.168.1.0 going to any IP specified on the object-group will be NATed. Right?

Second line translates what ever IP that passes on the nat_to_siteb ACL to my targeted private address range of 172.19.10.0. From what I understood?

Jennifer Halim · ‎09-04-2012

Yes, you are absolutely correct with all the 3 statements.

kumarsundaram · ‎09-05-2012

Got it working! Thanks so much for your help, Jennifer.

I removed the line you suggested and re-added the two new lines with a new access list name. I also learned that the access-list for "cryptomap" has to come after the line for access-list for NATing. Thank you again!!