Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN - Static NAT on VPN

Hi,

I am configuring S2S VPN, due to limitation we have to use static natting on 1 site. Please see the configuration. I think I am missing something.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

object-group network MAINSITE

network-object 10.0.0.0 255.0.0.0

object-group network LOCAL

network-object 192.168.1.0 255.255.255.0

access-list MAINSITE-I extended permit ip host 192.168.96.5 object-group MAINSITE

access-list MAINSITE-PolicyNAT extended permit ip object-group LOCAL object-group MAINSITE

access-list nonat extended permit ip host 192.168.96.5 10.0.0.0 255.0.0.0

nat (inside) 0 access-list nonat

nat (inside) 2 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

Thanks.

Muhammad

4 REPLIES
Bronze

VPN - Static NAT on VPN

I don't see your static NAT configuration, only your PAT configuration (minus the global statements - where are those?).

And describe more of what you're trying to do, please.

New Member

VPN - Static NAT on VPN

Hi

I am building Site to Site VPN. 1 Site will be using Single IP 192.168.96.5 for all vpn traffic for example SiteA(1.1.1.1) will be sending vpn traffic as 192.168.96.5/32.

I have to this statement

static (inside,outside) 192.168.96.5 access-list MAINSITE-PolicyNAT

but it's not accepting, giving  error saying "global address overlaps with mask"

Thanks.

Bronze

VPN - Static NAT on VPN

What firewall are you using for this VPN (model/version)?

If you're trying to NAT 1.1.1.0/24 network to 192.168.96.5, you'll need to remove your statements:

access-list nonat extended permit ip host 192.168.96.5 10.0.0.0 255.0.0.0

nat (inside) 0 access-list nonat

"nat (inside) 0" negates your translations for the 'nonat' ACL.

If you're wanting to 'PAT' hosts from SiteA on the 1.1.1.0/24 network to 10.0.0.0/8 network (MAINSITE), with 192.168.96.5/32 as your source, then you'll need a statement like:

object-group network MAINSITE

network-object 10.0.0.0 255.0.0.0

object-group network SITE_A

network-object 1.1.1.0 255.255.255.0

access-list SITE_A_NAT extended permit ip object-group SITE_A object-group MAINSITE

nat (inside) 2 access-list SITE_A_NAT

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 2 192.168.96.5 netmask 255.255.255.255

or

global (outside) 2 interface

New Member

VPN - Static NAT on VPN

Thanks cflory. One more question . I am using ASA 5505.

If I am sitting on Main site and how can I access device which is on remote site 192.168.1.50 which is patted in vpn tunnel 192.168.96.5/32?

379
Views
0
Helpful
4
Replies