cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


133
Views
0
Helpful
7
Replies
Beginner

Source NAT Tanslation in ASA 7.x - Trouble configuring.

Hey guys..  having issues taking my current knowledge and applying it to an old ASA running 7.x.

 

Basically I want to perform the following:

- Any Traffic sourced from 192.168.1.0/24

- Destined for 10.100.90.0/24 (Over an established VPN Tunnel)

- Needs to be sourced from a specific address/ProxyID (1.2.3.4)

Translated destination is Original Address

 

How on earth do we do this in ASA 7.x?

 

Thanks much for any help

2 ACCEPTED SOLUTIONS

Accepted Solutions
Rising star

Hi Deve, It is easy as eating

Hi Deve,

 

It is easy as eating a piece of cake, no biggy.  All you need is a dynamic policy-nat.

 

access−list policy−nat extended permit ip 192.168.1.0 255.255.255.0 10.100.90.0 255.255.255.0

 


global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat

 

Now you incorporate IP: 1.2.3.4 into the vpn-tunnel.

 

Hope that helps.

Thanks

Rizwan Rafeek.
 

View solution in original post

Rising star

Hello Dave, First copy this

Hello Dave,

 

First copy this line.

access-list InfoHedge extended permit ip host 192.235.87.15 10.100.90.0 255.255.255.0 

 

Second remove this line.

no access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0

 

Let me know, if that helps.

Thanks

 

 

View solution in original post

7 REPLIES 7
Rising star

Hi Deve, It is easy as eating

Hi Deve,

 

It is easy as eating a piece of cake, no biggy.  All you need is a dynamic policy-nat.

 

access−list policy−nat extended permit ip 192.168.1.0 255.255.255.0 10.100.90.0 255.255.255.0

 


global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat

 

Now you incorporate IP: 1.2.3.4 into the vpn-tunnel.

 

Hope that helps.

Thanks

Rizwan Rafeek.
 

View solution in original post

Highlighted
Beginner

Awesome, I figured it was

Awesome, I figured it was more difficult than that.  I had more config planned that this, but I already basically have this in what I drafted.

One more question..  I'm creating separate ACLs for interesting traffic for the VPN.  Those are being referenced in the Crypto and ISAKMP config.

The above is just the NAT, and won't have anything to do with the tunnel, correct?

Rising star

"The above is just the NAT,

"The above is just the NAT, and won't have anything to do with the tunnel, correct?"

 

You use natted IP address: 1.2.3.4 in the crypto ACL and there is no need for nat-exemption for IP: 1.2.3.4.  On other end of the tunnel, they see as if traffic is initiated from this IP address: 1.2.3.4 and on the other end of the tunnel, they must include this IP address 1.2.3.4 for encryption domain.

 

Hope that answers your question.

 

thanks

 

 

 

Beginner

I think so..   thanks again!

I think so..   thanks again!  

Beginner

Still can't get this working

Still can't get this working for some reason.  FOr the sake of getting this up quickly, I'll post the real config...  anything?

global (outsidesw1) 215 192.235.87.15

nat (insidesw1) 215 access-list policy-nat

access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0 

access-list policy-nat extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0

crypto ipsec transform-set InfoHedge esp-3des esp-none

crypto map L2L_VPN 3 match address InfoHedge
crypto map L2L_VPN 3 set pfs 
crypto map L2L_VPN 3 set peer 74.220.80.15 
crypto map L2L_VPN 3 set transform-set InfoHedge
crypto map L2L_VPN interface outsidesw1

isakmp identity address 
isakmp enable outsidesw1

isakmp policy 215 authentication pre-share
isakmp policy 215 encryption 3des
isakmp policy 215 hash sha
isakmp policy 215 group 2
isakmp policy 215 lifetime 86400

 

tunnel-group 74.220.80.15 type ipsec-l2l
tunnel-group 74.220.80.15 ipsec-attributes
 pre-shared-key ****

 

Rising star

Hello Dave, First copy this

Hello Dave,

 

First copy this line.

access-list InfoHedge extended permit ip host 192.235.87.15 10.100.90.0 255.255.255.0 

 

Second remove this line.

no access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0

 

Let me know, if that helps.

Thanks

 

 

View solution in original post

Beginner

Yes, that did it. Thanks

Yes, that did it.

 

Thanks again!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here