02-24-2015 10:36 AM - edited 03-11-2019 10:33 PM
Hey guys.. having issues taking my current knowledge and applying it to an old ASA running 7.x.
Basically I want to perform the following:
- Any Traffic sourced from 192.168.1.0/24
- Destined for 10.100.90.0/24 (Over an established VPN Tunnel)
- Needs to be sourced from a specific address/ProxyID (1.2.3.4)
Translated destination is Original Address
How on earth do we do this in ASA 7.x?
Thanks much for any help
Solved! Go to Solution.
02-24-2015 10:51 AM
Hi Deve,
It is easy as eating a piece of cake, no biggy. All you need is a dynamic policy-nat.
access−list policy−nat extended permit ip 192.168.1.0 255.255.255.0 10.100.90.0 255.255.255.0
global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat
Now you incorporate IP: 1.2.3.4 into the vpn-tunnel.
Hope that helps.
Thanks
Rizwan Rafeek.
02-25-2015 02:47 PM
Hello Dave,
First copy this line.
access-list InfoHedge extended permit ip host 192.235.87.15 10.100.90.0 255.255.255.0
Second remove this line.
no access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0
Let me know, if that helps.
Thanks
02-24-2015 10:51 AM
Hi Deve,
It is easy as eating a piece of cake, no biggy. All you need is a dynamic policy-nat.
access−list policy−nat extended permit ip 192.168.1.0 255.255.255.0 10.100.90.0 255.255.255.0
global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat
Now you incorporate IP: 1.2.3.4 into the vpn-tunnel.
Hope that helps.
Thanks
Rizwan Rafeek.
02-24-2015 10:57 AM
Awesome, I figured it was more difficult than that. I had more config planned that this, but I already basically have this in what I drafted.
One more question.. I'm creating separate ACLs for interesting traffic for the VPN. Those are being referenced in the Crypto and ISAKMP config.
The above is just the NAT, and won't have anything to do with the tunnel, correct?
02-24-2015 11:28 AM
"The above is just the NAT, and won't have anything to do with the tunnel, correct?"
You use natted IP address: 1.2.3.4 in the crypto ACL and there is no need for nat-exemption for IP: 1.2.3.4. On other end of the tunnel, they see as if traffic is initiated from this IP address: 1.2.3.4 and on the other end of the tunnel, they must include this IP address 1.2.3.4 for encryption domain.
Hope that answers your question.
thanks
02-24-2015 12:59 PM
I think so.. thanks again!
02-25-2015 09:00 AM
Still can't get this working for some reason. FOr the sake of getting this up quickly, I'll post the real config... anything?
global (outsidesw1) 215 192.235.87.15
nat (insidesw1) 215 access-list policy-nat
access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0
access-list policy-nat extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0
crypto ipsec transform-set InfoHedge esp-3des esp-none
crypto map L2L_VPN 3 match address InfoHedge
crypto map L2L_VPN 3 set pfs
crypto map L2L_VPN 3 set peer 74.220.80.15
crypto map L2L_VPN 3 set transform-set InfoHedge
crypto map L2L_VPN interface outsidesw1
isakmp identity address
isakmp enable outsidesw1
isakmp policy 215 authentication pre-share
isakmp policy 215 encryption 3des
isakmp policy 215 hash sha
isakmp policy 215 group 2
isakmp policy 215 lifetime 86400
tunnel-group 74.220.80.15 type ipsec-l2l
tunnel-group 74.220.80.15 ipsec-attributes
pre-shared-key ****
02-25-2015 02:47 PM
Hello Dave,
First copy this line.
access-list InfoHedge extended permit ip host 192.235.87.15 10.100.90.0 255.255.255.0
Second remove this line.
no access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0
Let me know, if that helps.
Thanks
02-25-2015 06:41 PM
Yes, that did it.
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide