Can I replace both src and dst ip with policy nat, into VPN?
I want to setup a L2L-tunnel to a third party. Because of their and our requirements I want to do NAT of both our addresses and theirs in our end. Is that possible?
I'll explain further in attached topology. I have local clients addressed 172.30.30.81-94 that needs to access equipment in the remote end with real IP:s 10.5.10.11-15. However, I want to access these 5 IP:s by addressing them 192.168.7.10,11,20,21,22. Also, my source traffic shouldnt be visible to remote end, I want them to see me as 10.250.192.193-206.
I am trying to do setups like these:
object-group network VPN-COMPANY_localip_real
network-object 172.30.30.80 255.255.255.240
object-group network VPN-COMPANY_localip_nat
network-object 10.250.192.192 255.255.255.240
object-group network VPN-COMPANY_remoteip_real
network-object host 10.5.10.11
network-object host 10.5.10.12
network-object host 10.5.10.13
network-object host 10.5.10.14
network-object host 10.5.10.15
object-group network VPN-COMPANY_remoteip_nat
network-object host 192.168.7.10
network-object host 192.168.7.11
network-object host 192.168.7.20
network-object host 192.168.7.21
network-object host 192.168.7.22
One per source address:
access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_nat
access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_real
As for your access-list and statics for the destination address, you don't need them because they have already been taken care of with the first static statements in my post.
Note - that because you are translating 192.168.7.x to 10.0.5.x addressing i'm assuming you don't need to do conditional NAT as you have to do with your source addressing because nothing will try to get 192.168.7.x unless it is via the VPN tunnel.
If i have assumed wrongly you will need to modify the first set of static statements with acls.
We’re excited to announce new capabilities with Secure Endpoint that allow you to simplify your security and maximize your security operations: Unify your security stack and reduce agent fatigue with Cisco Secure Client; harness integrated risk-based vuln...
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/CiscoChampion
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of di...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...