cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1701
Views
0
Helpful
4
Replies

Cisco ASA outside inside NAT and IPsec

raulfigueruelo
Level 1
Level 1

Hello guys,

i have a operational ipsec tunnel between Cisco ASA 5505 and other firewall across my network. Traffic goes through in both direction. Now, i would like to source NAT ipsec incoming traffic (from ASA perspective) with its inside interface ip address. For example:

Traffic from 10.x.x.x to 192.168.22.x needs to be natted to 192.168.22.1 (IP address of inside interface) to 192.168.22.x

But i have not success yet with nat (outside, inside) rules... any ideas?

Thank you.

4 Replies 4

It would help to see what configuration you have done for this NAT.  Make sure you DO NOT disable proxy arp

 

The configuration should be similar to this:

object network LAN

subnet 192.168.22.0 255.255.255.0

object network remote

subnet 10.0.0.0 255.255.255.0

 

nat (outside,inside) source static remote interface destination static LAN LAN

--
Please remember to select a correct answer and rate helpful posts

Thanks for your post Marius. This is the output from show nat:

 

1 (inside) to (outside) source static inside inside destination static remote remote no-proxy-arp route-lookup
translate_hits = 51012, untranslate_hits = 203989
2 (outside) to (inside) source static remote interface destination static inside inside
translate_hits = 0, untranslate_hits = 0

NAT 1 is mandatory for ipsec tunnel.

NAT 2 is my rule for trying source nat.

 

Is it possible that the traffic i want to source nat are matching NAT rule 1?

 

 

 

Move NAT statement 2 above NAT statement 1 and try again

--
Please remember to select a correct answer and rate helpful posts

I have changed rule order and it is working now:


1 (outside) to (inside) source static remote interface destination static inside inside
translate_hits = 46, untranslate_hits = 250
2 (inside) to (outside) source static inside0 inside destination static remote remote route-lookup
translate_hits = 45, untranslate_hits = 45

TCP 192.168.22.30:445 192.168.22.1:60035 ESTABLISHED

 

Curiously, i have lost ping from remote device to inside device, but TCP service are established. I think PINGs are the "untranslate_hits", but i dont know why.

Extented ACL permit any (tcp and icmp) are configured in both interfaces.

 

Thank you.

 

 

Review Cisco Networking for a $25 gift card