Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with NAT

I'm sure this question has been asked numerous times, but I want to make sure I understand this correctly before proceeding.

I am setting up a site to site IPSec VPN between two ASAs.

I want to NAT an internal host that my VPN peer's network will be connecting to. So I need to make sure the traffic coming from this internal host is NATted before it enters the VPN tunnel as "interesting traffic"

So let's say remote network 192.168.20.0 /24 is connecting through IPSec VPN tunnel with peers 65.200.1.1 and 198.14.7.10 to host 10.100.1.7 on my network.

I want to NAT host 10.100.1.7 to 192.168.100.5 to the remote network connects to the 192 address, not the 10

How can I do this?

(I am using a ASA 5505)

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN with NAT

Hello Colin,

That is correct, that is one of the great things about the changes on version 8.3 and prior. You can create a policy nat rule in just one line.

Please let me know if you understand this or if there is something else I can do for you.

Please rate helpful post.

Have a great night,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
9 REPLIES

VPN with NAT

Hello Colin,

What version are you running?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

VPN with NAT

These will be new firewalls, so the latest and greatest IOS

Re: VPN with NAT

Ok, now lets talk about what you are trying to accomplish:

1-Are you trying to nat an internal host to a specific ip address on  the other side of the VPN or 2-  are you trying to nat an internal host to the internet before it goes to the VPN tunnel?

If option one is the option here is the nat statement for the translation and nat excemption:

object network object-10.100.1.7

host 10.100.1.7

object network object-192.168.100.5

host 192.168.100.5

object network object-192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network object-10_network

subnet 10.100.1.0 255.255.255.0

nat (inside,outside) 1 source static object-10.100.1.7 object-192.168.100.5 destination static object-192_network  object-192_network

nat(inside,outside)  2 source static object-10_network object-10_network destination static object-192_network  object-192_network

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

VPN with NAT

Let's say I want to NAT an internal host from one private IP to another before sending it through the VPN tunnel.

so

10.100.1.7-->192.168.100.5-----TUNNEL------Remote network

Since the ASA does not support loopback addresses and policy routing, I am not sure how to accomplish this.

Re: VPN with NAT

Please check my last reply:

If option one is the option here is the nat statement for the translation and nat excemption:

object network object-10.100.1.7

host 10.100.1.7

object network object-192.168.100.5

host 192.168.100.5

object network object-192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network object-10_network

subnet 10.100.1.0 255.255.255.0

nat  (inside,outside) 1 source static object-10.100.1.7 object-192.168.100.5  destination static object-192_network  object-192_network

nat(inside,outside)   2 source static object-10_network object-10_network destination static  object-192_network  object-192_network

If this what you are looking for?

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: VPN with NAT

looks like this might be it. Let me provide a little more detail:

10.100.1.7-->192.168.100.5--TUNNEL (65.200.1.1 to 198.14.7.10)---->63.116.20.1

so then, do we need to replace the destination?...

nat (inside,outside) 1 source static object-10.100.1.7 object-192.168.100.5 destination static object-63_network object-63_network

object network object-63_network

subnet 63.116.20.0 255.255.255.0

Re: VPN with NAT

Hello Colin,

On the nat statement for the VPN you should use the Private IP addresses, remember that you are going to use it to match the interesting traffic.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: VPN with NAT

I guess I am confused about what the "destination" option is here

does that tell the ASA to NAT a specific host or network when heading to a specific network? Kind of like a policy route?

Re: VPN with NAT

Hello Colin,

That is correct, that is one of the great things about the changes on version 8.3 and prior. You can create a policy nat rule in just one line.

Please let me know if you understand this or if there is something else I can do for you.

Please rate helpful post.

Have a great night,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
497
Views
0
Helpful
9
Replies
CreatePlease login to create content