https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247795#M346739 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Since you are using the 1.1.1.0/24 only for the L2L VPN connection and NAT purposes it doesnt have to be configured on any interface or be routed on any upstream router. Its visible to the remote site through the L2L VPN connection.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 09 Jul 2013 11:59:37 GMT Jouni Forss 2013-07-09T11:59:37Z https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247792#M346715 <P>site 1-10.1.1.0/24 lan range.</P><P></P><P></P><P>site 2- 20.1.1.0/24 lan range.</P><P></P><P></P><P>since site 1 range is getting used at far end policy nat is used below</P><P></P><P></P><P>on site 1</P><P></P><P></P><P>access-list test 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0</P><P></P><P></P><P>nat(inside) 10 access-list test</P><P></P><P></P><P>global(outside) 10 1.1.1.1</P><P></P><P></P><P></P><P></P><P>access-list crypto_map 1.1.1.0&nbsp; 255.255.255.0 20.1.1.0 255.255.255.0-&nbsp; is it correct</P><P></P><P></P><P>access_list nonat 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0-- ( whether 10 range or 1 range needs to be specified)</P><P></P><P></P><P></P><P></P><P>Does the policy nat config is correct ?</P><P></P><P></P><P></P><P></P><P></P><P></P><P>Another thing 1.1.1.0/24 is not assigned to any interface to firewall.</P><P></P><P></P><P>Please assist</P> Tue, 12 Mar 2019 02:09:40 GMT https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247792#M346715 prashantrecon 2019-03-12T02:09:40Z https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247793#M346723 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>So you want to do Dynamic PAT towards the other site?</P><P></P><P>So the base information is</P><UL><LI>Site A 10.1.1.0/24</LI><LI>Site B 20.1.1.0/24</LI><LI>Site A PAT IP 1.1.1.1</LI></UL><P></P><P>When Site A connects to Site B then Site A should be visible to the Site B with the IP address 1.1.1.1</P><P></P><P>If this is true then the configuration should be (basically your configuration with some corrected typos)</P><P></P><P><STRONG>access-list test permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0</STRONG></P><P></P><P><STRONG>nat(inside) 10 access-list test</STRONG></P><P><STRONG>global(outside) 10 1.1.1.1</STRONG></P><P></P><P></P><P><STRONG>access-list crypto_map permit ip host 1.1.1.1 20.1.1.0 255.255.255.0</STRONG></P><P></P><P>or</P><P></P><P><STRONG>access-list crypto_map permit ip 1.1.1.0&nbsp; 255.255.255.0 20.1.1.0 255.255.255.0</STRONG></P><P></P><P>You dont need any statements in some NONAT/NAT0 ACL since we specifically WANT to NAT the LAN network instead of doing NAT0</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 09 Jul 2013 11:30:10 GMT https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247793#M346723 Jouni Forss 2013-07-09T11:30:10Z https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247794#M346732 <HTML><HEAD></HEAD><BODY><P>As I am doing pat i donot require nat statement right.</P><P></P><P>what about </P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"> 1.1.1.0/24 is not assigned to any interface to firewall nor on router.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Thus it work</P></BODY></HTML> Tue, 09 Jul 2013 11:54:10 GMT https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247794#M346732 prashantrecon 2013-07-09T11:54:10Z https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247795#M346739 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Since you are using the 1.1.1.0/24 only for the L2L VPN connection and NAT purposes it doesnt have to be configured on any interface or be routed on any upstream router. Its visible to the remote site through the L2L VPN connection.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 09 Jul 2013 11:59:37 GMT https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247795#M346739 Jouni Forss 2013-07-09T11:59:37Z https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247796#M346745 <HTML><HEAD></HEAD><BODY><P>Thanks that clears the doubt.</P><P></P><P>So i Can use any ip not mandatory to use public ip .</P></BODY></HTML> Tue, 09 Jul 2013 12:53:32 GMT https://community.cisco.com/t5/network-security/policy-nat-with-site-to-site-vpn-on-firewall/m-p/2247796#M346745 prashantrecon 2013-07-09T12:53:32Z