cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1304
Views
0
Helpful
7
Replies

NAT a subnet to an other subnet

Neji Jihed
Level 1
Level 1

Hi All,

I Have a cisco asa 5510 configured as a gateway for my network, the problem is that i want to create a new subnet for my network and i have a PVN Tunnel estalished to the Headquarters, the objectif is to create a subnet and nat it to the already configured subnet throw the tunnel, is this possible, timm now i m able to create a subnet and make go to the internet but i have tried a lot to make it go through the tunnel but its not working, have any one faced a such problem before !!

thanks for your help,

Cordially

7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

Hello,

It really depends on the type of tunnel that you have. I am assuming that you have an IPsec Tunnel, however, this would require changes on both devices, the headend device (the ones that terminates the tunnel on the HQ and the one locally).

Mainly there should be a crypto ACL in which you need to add the new subnet, and on the headend, there should be the same ACL, but mirrored, and what you need to do is to configure the new statement on that ACL. Something like this:

Your end:

accesss-list crypto permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0

On the other end:

access-list crypto permit ip y.y.y.y 255.255.255.0 x.x.x.x 255.255.255.0

Of course this ACL is tied to a crypto map that contains the parameters to ecrypt the traffic and so on, your job is to find that ACL and add the missing statement.

Mike

Mike

Thanks for your reply, The problem is that i want to configure on only one side of the tunnel, my side, and yes you are right its an IPSEC tunnel, is there a way to do this !!

Hi,

So are you saying that you have one existing subnet on your LAN and you have added another subnet on your LAN? And this new subnet should be able to use the existing L2L VPN while using the original subnets address space?

You should be able for example pick out some free/unused IP address in the original subnet (configured on the L2L VPN as your source) and configure a Dynamic Policy PAT for your new subnets users when they are connecting to the remote networks behind the L2L VPN. This way they would be PATed to the IP address that is part of the current L2L VPN configurations and their traffic should be tunneled to the L2L VPN just fine.

Naturally as we are talking about a PAT translation this would only enable your side initiating connections to the central site and NOT vice versa. For the central site to be able to connect to your site you would have to configure Static Policy NAT for the hosts that need to be contacted from the central site.

The best practise would be to modify the L2L VPN Crypto ACLs rather than create special configurations. Naturally the special configurations mentioned above negate the need to modify the VPN configurations which usually people choose when they are forced to use them.

We cant really provide you with exact NAT configurations needed as we have no idea of your ASA software level not to mention its current L2L VPN, interface and NAT configurations (and possible ACL/object configurations related to the before mentioned configurations)

- Jouni

Hi Again, Well its seems logic to me, doing PAT on my site and static nat on the other side, is that what you mean !!

Well i have an ASA 5510 8.2(2) managed by asdm 6.3(1),

My need is to have configuration on only my side.

Thanks alot

Hi,

I would imagine that currently you have NAT0 configured on both of the sites.

If your aim is to add a new subnet with the help of Dynamic Policy PAT to the existing L2L VPN without touching any L2L VPN related configurations on either your side or the central site then it should be possible.

As I said, you have to choose an IP address from the existing subnet that is configured on the L2L VPN on your side. Choose an IP address that is not in use on any host or network device and dedicate it for this Dynamic Policy PAT use only just to be on the safe side.

Then you could start building the Dynamic Policy NAT rule

You still didnt mention your actual networks, interfaces and configurations at the moment so I will have to give you an example configuration using made up networks

  • Current LAN subnet 10.10.10.0/24
  • Current REMOTE subnet 192.168.10.0/24
  • New LAN subnet 172.16.10.0/24 (the one that needs access to L2L VPN)
  • Current LAN IP reserved for Dynamic Policy PAT use 10.10.10.254
  • Local firewalls interface names "inside" and "outside" (the new subnet might be located behind some different interfaces too than "inside")

access-list L2LVPN-POLICY-PAT remark Dynamic Policy PAT rule for new subnet

access-list L2LVPN-POLICY-PAT permit ip 172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0

global (outside) 254 10.10.10.254

nat (inside) 254 access-list L2LVPN-POLICY-PAT

The above configuration would tell the ASA the following

  • When the new subnet 172.16.10.0/24 tries to connect to the remote central site then apply the Dynamic Policy PAT to IP address 10.10.10.254
  • After this Dynamic Policy PAT is performed by the ASA it will notice that this traffic should be tunneled according to its (PATed) source address and destination address

I have to say again that without seeing your current configurations its impossible for me to take everything into consideration.

This should work however as I have suggested the same approach for others too posting here on the CSC.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Hi Jouni,

I have been making a lab for this configuration using GNS3, well i made a VPN Tunnel between Two CISCO ASA 5510 (Pink OK, Tunnel is UP), then i made a new subnet, configured routing and NAT for the new Subnet, Tests Locally are OK, and the i tried to NAT the New Subnet as you mentionned before, but i can't figure out whats wrong with my configuration, it seems that there someting missing, well here's a summary of the LAB

Site 1 : Privare Adresse 10.241.105.0/25 Private New Subnet 172.20.50.0/24

Site B Private Adress 192.168.1.0/24

Tunnel IS UP

What i have done is that i added the new subnet 172.20.50.0/24 to the VPN Tunnel For Both sides, and then i used Packet Tracer to figure out that packets from 172.20.50.0/24 are being translated to the outside Interface, and not going thought the Tunnel, So I Add a NAT Exempt Rule on both sides two Ouups Every Thing is OKK, Good news Right

But thats not what i m looking for !!!

I will be parsing the two network configaration and i m looking for a way to post an image, i can't figure out a way to do that in the forum (feeling like stupid ) i hope tp find it,

here's my mail address jihed.neji@gmail.com would you please mail me the right configuration, this is very important for me since its a challenge i have to take in order to join an IT Leading Team in my corporation (Level 3 Support) My dream since 3 years.

###############################################################################################

                                                                     Cisco ASA 5510    Site 1

: Saved

: Written by enable_15 at 00:33:55.172 UTC Tue Nov 30 1999

!

ASA Version 8.0(2)

!

hostname ASA1

domain-name jihed.com

enable password TyjfM4B9RGk0QSqu encrypted

names

!

interface Ethernet0/0

description ### Connected to LAN ###

nameif inside

security-level 100

ip address 10.241.105.1 255.255.255.128

!

interface Ethernet0/1

description ### Connected to Outside LAN VPN Tunnel ###

nameif outside

security-level 0

ip address 41.224.46.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

banner exec Welcome Admin Have a Nice Day

banner login Welcome Admin Have a Nice Day

banner motd Welcome Admin Have a Nice Day

boot config disk0:/.private/startup-config

ftp mode passive

dns server-group DefaultDNS

domain-name jihed.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object 10.241.105.0 255.255.255.128

network-object 172.20.50.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list inside_nat_outbound extended permit ip 10.241.105.0 255.255.255.128 any

access-list 197.22.47.2_splitTunnelAcl standard permit 10.241.105.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 10.241.105.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 172.20.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.20.50.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 41.224.46.2_splitTunnelAcl standard permit 10.241.105.0 255.255.255.128

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

no logging message 402128

mtu inside 1500

mtu outside 1500

ip local pool Remote_Access 10.241.105.6-10.241.105.10 mask 255.255.255.128

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat-control

global (inside) 2 10.241.105.12 netmask 255.255.255.128

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat_outbound

nat (inside) 1 10.241.105.0 255.255.255.128

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 41.224.46.1 1

route inside 172.20.50.0 255.255.255.0 10.241.105.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.241.105.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 197.22.47.2

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 10.241.105.0 255.255.255.128 inside

telnet timeout 1440

ssh 10.241.105.0 255.255.255.128 inside

ssh 172.10.1.0 255.255.255.0 outside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

group-policy 41.224.46.2 internal

group-policy 41.224.46.2 attributes

wins-server value 8.8.8.8 8.8.8.8

dns-server value 8.8.8.8 8.8.8.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 41.224.46.2_splitTunnelAcl

default-domain value jihedlab.com

group-policy 41.224.46.2_1 internal

group-policy 41.224.46.2_1 attributes

wins-server value 8.8.8.8 8.8.8.8

dns-server value 8.8.8.8 8.8.8.8

vpn-tunnel-protocol IPSec

default-domain value jihed.com

group-policy 197.22.47.2 internal

group-policy 197.22.47.2 attributes

wins-server value 8.8.8.8 8.8.8.8

dns-server value 8.8.8.8 8.8.8.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 197.22.47.2_splitTunnelAcl

default-domain value jihed.com

username jihed password gUiCqYVlWOugRmug encrypted privilege 15

username jneji password Ae.gIIaVTgmxpFgx encrypted privilege 0

username jneji attributes

vpn-group-policy 197.22.47.2

tunnel-group 41.224.46.2 type remote-access

tunnel-group 41.224.46.2 general-attributes

address-pool Remote_Access

default-group-policy 41.224.46.2_1

tunnel-group 41.224.46.2 ipsec-attributes

pre-shared-key jihed

tunnel-group 197.22.47.2 type ipsec-l2l

tunnel-group 197.22.47.2 ipsec-attributes

pre-shared-key jihed

prompt hostname context

Cryptochecksum:27224fc34af0663282057f5cd4f7e932

: end

################################################################################################

                                                                     Cisco ASA 5510 Site 2

: Saved

: Written by enable_15 at 01:53:32.677 UTC Tue Nov 30 1999

!

ASA Version 8.0(2)

!

hostname ASA2

domain-name jihed.com

enable password TyjfM4B9RGk0QSqu encrypted

names

!

interface Ethernet0/0

description ### Connected to LAN ###

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/1

description ### Connected to Outisde Interface VPN Tunnel ###

nameif outside

security-level 0

ip address 197.22.47.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

banner exec Welcome Admin Have a Nice Day

banner login Welcome Admin Have a Nice Day

banner motd Welcome Admin Have a Nice Day

boot config disk0:/.private/startup-config

ftp mode passive

dns server-group DefaultDNS

domain-name jihed.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object 10.241.105.0 255.255.255.128

network-object 172.20.50.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.20.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.241.105.0 255.255.255.128

pager lines 24

logging enable

logging asdm informational

no logging message 402128

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 197.22.47.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 41.224.46.2

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 1440

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

username jihed password gUiCqYVlWOugRmug encrypted privilege 15

tunnel-group 41.224.46.2 type ipsec-l2l

tunnel-group 41.224.46.2 ipsec-attributes

pre-shared-key jihed

prompt hostname context

Cryptochecksum:4db675e1167a33bf5d9dfae0c74da193

: end

##################################################################################################

Thanks a lot

Hi,

Initially you said that you wanted to configure so  that only the configurations on one site would be changed because you  were adding a new network and didnt want to touch the L2L VPN settings  or settings on the central site?

However your above configurations dont in any way reflect that situation,

  • You  have added the new network to the L2L VPN configurations on both sites  which essentially was something that you absolutely wanted to avoid
  • You  have configured NAT0 for these networks. NAT0 overrides ANY other NAT  configurations on your firewall so no Dynamic Policy PAT that I suggest  would ever be applied to the traffic because of the order NAT is applied
  • You  have not used the suggested configurations in your above test setup at  all. Though as I said above, if you had NAT0 configured between the  local and remote network it wouldnt really matter as NAT0 always take  priority over the other NAT configurations.

So  I would suggest reverting your configurations of the ASAs to the  original setup where you only have a single network configured on the  L2L VPN between the sites and then use the Dynamic Policy PAT on the  other sites as the only configuration to enable it to be tunneled to the  L2L VPN.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: