Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1164
Views
0
Helpful
3
Replies

CISCO Site to site VPN with NAT overload

Go to solution
jyadav001
Level 1
Level 1

‎02-23-2017 12:52 PM - last edited on ‎03-25-2019 05:59 PM by Community Manager

I am configuring a site to site on CISCO ASA , i want to achieve following :

remote users coming from 172.10.10.0/24 gets translated to 10.10.250.150/32  and can access local network on 10.10.0.0/16.

I configured the following on GNS3  but still not able to access it :

LOCAL ASA:

ciscoasa(config)# object-group network LOCAL
ciscoasa(config-network-object-group)# network-object 10.10.0.0 255.255.0.0
ciscoasa(config)# object-group network NAT
ciscoasa(config-network-object-group)# network-object 10.10.250.150 255.255.255.255
ciscoasa(config)# object-group network REMOTE
ciscoasa(config-network-object-group)# network-object 172.10.10.0 255.255.0.0

access-list ABC line 1 extended permit ip object-group NAT object-group REMOTE

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

crypto map outside_map 1 match address ABC
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set TRANS
crypto map outside_map interface outside

 nat (inside,any) source  static LOCAL LOCAL destination static NAT REMOTE

crypto isakmp nat-traversal 20

*************************************************************************************************

REMOTE Side:

ciscoasa(config)# object-group network LOCAL
ciscoasa(config-network-object-group)# network-object 172.10.0.0 255.255.0.0
ciscoasa(config)# object-group network NAT
ciscoasa(config-network-object-group)# network-object 10.10.250.150 255.255.255.255
ciscoasa(config)# object-group network REMOTE
ciscoasa(config-network-object-group)# network-object 10.10.10.0 255.255.0.0

access-list ABC line 1 extended permit ip object-group NAT object-group REMOTE

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

crypto map outside_map 1 match address ABC
crypto map outside_map 1 set peer y.y.y.y
crypto map outside_map 1 set ikev1 transform-set TRANS
crypto map outside_map interface outside

 nat (inside,any) source  static LOCAL LOCAL destination static NAT REMOTE

crypto isakmp nat-traversal 20

Refer attached dialgram 

Please help !!

Labels:
Preview file
28 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-23-2017 02:09 PM

So where are you planning to do this NAT? You seem to have a NAT rule on both LOCAL and REMOTE ASA. You only need to do this on any one ASA.

Your description seems to point that you want to nat the Source 172.10.10.0/24 to 10.10.250.10/32 while your diagram seems to point that you need to NAT 10.10.0.0/16 to 10.10.250.10/32. Which is it?

If you want to NAT 172.10.10.0/24, remove the NAT statement on the LOCAL ASA and change the NAT on the remote ASA to

 nat (inside,any) source dynamic LOCAL NAT destination static REMOTE REMOTE

Also, your crypto ACL on both ASA's should be 10.10.0.0/16 and 10.10.250.10/32.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-23-2017 02:09 PM

So where are you planning to do this NAT? You seem to have a NAT rule on both LOCAL and REMOTE ASA. You only need to do this on any one ASA.

Your description seems to point that you want to nat the Source 172.10.10.0/24 to 10.10.250.10/32 while your diagram seems to point that you need to NAT 10.10.0.0/16 to 10.10.250.10/32. Which is it?

If you want to NAT 172.10.10.0/24, remove the NAT statement on the LOCAL ASA and change the NAT on the remote ASA to

 nat (inside,any) source dynamic LOCAL NAT destination static REMOTE REMOTE

Also, your crypto ACL on both ASA's should be 10.10.0.0/16 and 10.10.250.10/32.

0 Helpful

Go to solution
jyadav001
Level 1
Level 1
In response to Rahul Govindan

‎02-23-2017 02:44 PM

Thanks Rahul,

Actually i want any client from 10.10.0.0/16 can access 172.10.0.0/16 network but 172.10.0.0/16 should see it as it's coming from 10.10.250.150 /32 and vice-versa as it would be bidirectional. 

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to jyadav001

‎02-23-2017 02:51 PM

Ok, so in that case, the NAT rule on the local ASA should be:

 nat (inside,any) source dynamic LOCAL NAT destination static REMOTE REMOTE

NAT on the remote ASA should be:

 nat (inside,any) source static LOCAL LOCAL destination static NAT NAT no-proxyarp route-lookup

And your crypto ACL should be between the 10.10.250.150 /32 and 172.10.0.0/16

Bidirectional initiation of traffic would not be possible in such a scenario as you have only 1 ip address to translate to for a /16 network - which requires a dynamic NAT.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card