06-13-2013 02:25 AM - edited 03-11-2019 06:57 PM
Hi,
I would like to config "when host X on vlanX goes to a network that is across an ipsec tunnel, for which vlanX network is not in the encryption domains, translate host X address to that of the asa in a network that is part of the crypto domain".
Interface vlan544 (172.16.80.0/24) is the local encryption domain, and 10.1.0.0/29 holds some monitoring servers that should not be part of the encryption domain, but rather get it's source address translated to that of the firewall in 172.16.80.0/24. Here's how I did:
# Vlan522 for 10.1.0.0/29, need to somehow have a specific nat here I guess that falls between the no nat and the generic "nat the rest to the global)
nat (vlan522) 0 access-list vlan522_nat0_outbound
nat (vlan522) 1 0.0.0.0 0.0.0.0
# Next, I defined an ACL to match the source network (10.1.0.0/29) with the remote encryption domain (172.18.0.0/24):
access-list prtg-to-slott-net extended permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0
# Removing the global nat on vlan522:
no nat (vlan522) 1 0.0.0.0 0.0.0.0
# Set up the newly defined access-list as nat entry 1 instead
nat (vlan522) 1 access-list prtg-to-slott-net
# Re-adding the catch all nat but this time as rule number #2
nat (vlan522) 2 0.0.0.0 0.0.0.0
This obviously didn't work, the second (number 2) rule is never hit. What am I doing wrong?
Solved! Go to Solution.
06-13-2013 02:48 AM
Hi,
I got a bit confused reading that
So did I understand correctly that the situation is the following
In this case you should probably do the following
access-list L2LVPN-POLICYPAT permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0
global (outside) 100 172.16.80.254
nat (vlan522) 100 access-list L2LVPN-POLICYPAT
There is ofcourse a chance that some existing NAT configuration makes this one useless but for that we have "packet-tracer" command to determine which configurations are hit when the traffic arrives to the ASA
packet-tracer intput vlan522 tcp 10.1.0.2 12345 172.18.0.100 3389
The port and IP address values I used are random and can be pretty much anything. Ofcourse the mentioned traffic needs to be allowed in the interface ACL or the "packet-tracer" hits and ACCESS-LIST DROP.
- Jouni
06-13-2013 02:48 AM
Hi,
I got a bit confused reading that
So did I understand correctly that the situation is the following
In this case you should probably do the following
access-list L2LVPN-POLICYPAT permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0
global (outside) 100 172.16.80.254
nat (vlan522) 100 access-list L2LVPN-POLICYPAT
There is ofcourse a chance that some existing NAT configuration makes this one useless but for that we have "packet-tracer" command to determine which configurations are hit when the traffic arrives to the ASA
packet-tracer intput vlan522 tcp 10.1.0.2 12345 172.18.0.100 3389
The port and IP address values I used are random and can be pretty much anything. Ofcourse the mentioned traffic needs to be allowed in the interface ACL or the "packet-tracer" hits and ACCESS-LIST DROP.
- Jouni
06-13-2013 02:58 AM
Jouni, you're really picking my questions and answering them one by one. You provide good short explanation, I now see the connection between the nat (int) VALUE and global (int) VALUE.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide