02-23-2017 12:52 PM - last edited on 03-25-2019 05:59 PM by ciscomoderator
I am configuring a site to site on CISCO ASA , i want to achieve following :
remote users coming from 172.10.10.0/24 gets translated to 10.10.250.150/32 and can access local network on 10.10.0.0/16.
I configured the following on GNS3 but still not able to access it :
LOCAL ASA:
ciscoasa(config)# object-group network LOCAL
ciscoasa(config-network-object-group)# network-object 10.10.0.0 255.255.0.0
ciscoasa(config)# object-group network NAT
ciscoasa(config-network-object-group)# network-object 10.10.250.150 255.255.255.255
ciscoasa(config)# object-group network REMOTE
ciscoasa(config-network-object-group)# network-object 172.10.10.0 255.255.0.0
access-list ABC line 1 extended permit ip object-group NAT object-group REMOTE
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto map outside_map 1 match address ABC
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set TRANS
crypto map outside_map interface outside
nat (inside,any) source static LOCAL LOCAL destination static NAT REMOTE
crypto isakmp nat-traversal 20
*************************************************************************************************
REMOTE Side:
ciscoasa(config)# object-group network LOCAL
ciscoasa(config-network-object-group)# network-object 172.10.0.0 255.255.0.0
ciscoasa(config)# object-group network NAT
ciscoasa(config-network-object-group)# network-object 10.10.250.150 255.255.255.255
ciscoasa(config)# object-group network REMOTE
ciscoasa(config-network-object-group)# network-object 10.10.10.0 255.255.0.0
access-list ABC line 1 extended permit ip object-group NAT object-group REMOTE
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto map outside_map 1 match address ABC
crypto map outside_map 1 set peer y.y.y.y
crypto map outside_map 1 set ikev1 transform-set TRANS
crypto map outside_map interface outside
nat (inside,any) source static LOCAL LOCAL destination static NAT REMOTE
crypto isakmp nat-traversal 20
Refer attached dialgram
Please help !!
Solved! Go to Solution.
02-23-2017 02:09 PM
So where are you planning to do this NAT? You seem to have a NAT rule on both LOCAL and REMOTE ASA. You only need to do this on any one ASA.
Your description seems to point that you want to nat the Source 172.10.10.0/24 to 10.10.250.10/32 while your diagram seems to point that you need to NAT 10.10.0.0/16 to 10.10.250.10/32. Which is it?
If you want to NAT 172.10.10.0/24, remove the NAT statement on the LOCAL ASA and change the NAT on the remote ASA to
nat (inside,any) source dynamic LOCAL NAT destination static REMOTE REMOTE
Also, your crypto ACL on both ASA's should be 10.10.0.0/16 and 10.10.250.10/32.
02-23-2017 02:09 PM
So where are you planning to do this NAT? You seem to have a NAT rule on both LOCAL and REMOTE ASA. You only need to do this on any one ASA.
Your description seems to point that you want to nat the Source 172.10.10.0/24 to 10.10.250.10/32 while your diagram seems to point that you need to NAT 10.10.0.0/16 to 10.10.250.10/32. Which is it?
If you want to NAT 172.10.10.0/24, remove the NAT statement on the LOCAL ASA and change the NAT on the remote ASA to
nat (inside,any) source dynamic LOCAL NAT destination static REMOTE REMOTE
Also, your crypto ACL on both ASA's should be 10.10.0.0/16 and 10.10.250.10/32.
02-23-2017 02:44 PM
Thanks Rahul,
Actually i want any client from 10.10.0.0/16 can access 172.10.0.0/16 network but 172.10.0.0/16 should see it as it's coming from 10.10.250.150 /32 and vice-versa as it would be bidirectional.
02-23-2017 02:51 PM
Ok, so in that case, the NAT rule on the local ASA should be:
nat (inside,any) source dynamic LOCAL NAT destination static REMOTE REMOTE
NAT on the remote ASA should be:
nat (inside,any) source static LOCAL LOCAL destination static NAT NAT no-proxyarp route-lookup
And your crypto ACL should be between the 10.10.250.150 /32 and 172.10.0.0/16
Bidirectional initiation of traffic would not be possible in such a scenario as you have only 1 ip address to translate to for a /16 network - which requires a dynamic NAT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide