https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754949#M530580 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>The VPN tunnel is passing traffic successfully already, so I believe that crypto map ACL is correctly set up. However it is just not natting the source address properly. The other side is seeing my address of 10.10.1.x instead of 192.168.42.1. is the ACL as listed above set up incorrectly?</P><P></P><P>Thanks for your help.</P></BODY></HTML> Sat, 17 Sep 2011 14:58:09 GMT russgunther 2011-09-17T14:58:09Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754945#M530576 <P>I have an ASA 5505 with a tunnel to a third party network. The tunnel connection comes up fine but I can't get the NAT to work. They are requiring that I send them a specific IP address as the source IP. Here are the specifics:</P><P></P><P>Source Network: 10.10.1.0/24</P><P>Destination Hosts: 172.16.1.171 and 172.16.1.172</P><P>NAT IP: 192.168.42.1</P><P></P><P>If I disable NAT I can get through the tunnel but the admin sees me coming through as 10.10.1.x If I enable NAT I can't hit the tunnel at all.</P><P></P><P>object-group network DM_INLINE_NETWORK_1</P><P> network-object host 172.16.1.171</P><P> network-object host 172.16.1.172</P><P>access-list inside_access_in extended permit ip 10.10.1.0 255.255.255.0 172.16.1.168 255.255.255.248 log debugging </P><P>access-list inside_access_in extended permit ip any any </P><P>access-list split-tunnel standard permit 10.10.1.0 255.255.255.0 </P><P>access-list outside_nat_static_1 extended permit ip host 172.168.1.172 host 192.168.42.1 </P><P>access-list outside_nat_static_1 extended permit ip host 172.168.1.171 host 192.168.42.1 </P><P>access-list inside_nat_static extended permit ip 10.10.1.0 255.255.255.0 172.168.1.168 255.255.255.248 </P><P>access-list outside_2_cryptomap extended permit ip 10.10.1.0 255.255.255.0 172.16.1.168 255.255.255.248 </P><P>access-list inside_nat_static_1 extended permit ip 10.10.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 </P><P></P><P></P><P>global (outside) 3 192.168.42.1</P><P>nat (inside) 3 access-list inside_nat_static_1</P><P>access-group inside_access_in in interface inside</P><P></P><P>Am I just missing something?</P> Mon, 11 Mar 2019 21:26:08 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754945#M530576 russgunther 2019-03-11T21:26:08Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754946#M530577 <HTML><HEAD></HEAD><BODY><P>Hello Russ Gunther,</P><P></P><P>If I understand the interesting traffic is going to be between 10.10.1.0&nbsp; going to 172.16.1.171 and 172.16.1.172</P><P>Would you mind to try this:</P><P></P><P>static (inside,outside) 192.168.42.1 access-list inside_nat_static_1</P><P></P><P>Try this and let me know if it helps you</P><P></P><P>Best Regards,</P><P></P><P>Julio</P></BODY></HTML> Fri, 16 Sep 2011 22:38:28 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754946#M530577 Julio Carvajal 2011-09-16T22:38:28Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754947#M530578 <HTML><HEAD></HEAD><BODY><P id="yui_3_2_0_27_131604165491348" style="font-family: arial, helvetica, sans-serif; font-size: 12pt;">Hi Julio,</P><P id="yui_3_2_0_27_131604165491348" style="font-family: arial, helvetica, sans-serif; font-size: 12pt;"><BR id="yui_3_2_0_27_1316041654913138" /></P><P id="yui_3_2_0_27_131604165491348"><SPAN style="font-size: 12pt;">I cannot apply that command. I receive a "</SPAN>global address overlaps with mask error".</P><P></P><P>Regards,</P><P>Russ</P></BODY></HTML> Sat, 17 Sep 2011 13:39:44 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754947#M530578 russgunther 2011-09-17T13:39:44Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754948#M530579 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>just change the crypto map ACL to specify interesting traffic coming from natted address. But they'll have to do the same mirrored ACL on the other side.</P><P></P><P></P><P>Regards.</P><P></P><P></P><P>Alain.</P></BODY></HTML> Sat, 17 Sep 2011 14:19:13 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754948#M530579 cadet alain 2011-09-17T14:19:13Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754949#M530580 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>The VPN tunnel is passing traffic successfully already, so I believe that crypto map ACL is correctly set up. However it is just not natting the source address properly. The other side is seeing my address of 10.10.1.x instead of 192.168.42.1. is the ACL as listed above set up incorrectly?</P><P></P><P>Thanks for your help.</P></BODY></HTML> Sat, 17 Sep 2011 14:58:09 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754949#M530580 russgunther 2011-09-17T14:58:09Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754950#M530581 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>if you want to NAT when doing a VPN tunnel then you must make the natted traffic the interesting traffic that will bring up the tunnel and get transported over it.So in your crypto ACL you must specify src IP as the natted one not the original one.That's the way I think it should be done.</P><P></P><P>Regards.</P><P></P><P></P><P>Alain</P></BODY></HTML> Sat, 17 Sep 2011 18:11:13 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754950#M530581 cadet alain 2011-09-17T18:11:13Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754951#M530582 <HTML><HEAD></HEAD><BODY><P>Hi again Russ,</P><P></P><P>Take a look at this VPN configuration example, this is going to show you what to do </P><P></P><P><A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml</A></P><P></P><P></P><P>That is exactly what you got to do.</P><P>As you can see on this document they want to nat the inside source when it goes to the VPN Tunnel, so it is the same scenario.</P><P>I thinked you did not remove the previous commands, that is why the command I sent you was not allowed by the ASA CLI.</P><P></P><P>Please let me know if you have any questions regarding this document, I will be more than glad to help you</P><P></P><P>Best Regards,</P><P></P><P></P><P>Julio</P></BODY></HTML> Sat, 17 Sep 2011 22:20:13 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754951#M530582 Julio Carvajal 2011-09-17T22:20:13Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754952#M530583 <HTML><HEAD></HEAD><BODY><P>Julio,</P><P></P><P>You are correct. I had conflicting commands. I removed all the entries relating to this tunnel from my config and started fresh with the link you provided and everything came up perfectly.</P><P></P><P>Thank you for your help and support.</P><P>Russ</P></BODY></HTML> Mon, 19 Sep 2011 13:42:11 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754952#M530583 russgunther 2011-09-19T13:42:11Z https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754953#M530584 <HTML><HEAD></HEAD><BODY><P>Hello Russ,</P><P></P><P>I am glad that everything is working fine now. If you have any other question related to this issue please let me know otherwise please mark the question as answered.</P><P></P><P>Have a great day,</P><P></P><P>Julio</P></BODY></HTML> Mon, 19 Sep 2011 16:45:23 GMT https://community.cisco.com/t5/network-security/setting-up-nat-on-vpn-tunnel/m-p/1754953#M530584 Julio Carvajal 2011-09-19T16:45:23Z