Hi,

You can't use the other configuration that I listed as you are not running ASA software 8.3 or a newer version. The "object network" doesnt exist in 8.2 software and if you use it the ASA  will regocnize it as "object-group network" command. That is why you are not able to configure it and the required parameters under it.

Again the above IP information is confusing. You are talking about a network 172.16.82.0/23 as both the source and destination? Which one is it?

From what I understood before the information would be this

• source ip/network = 172.16.58.0/24
• source networks NAT IP = ?
• destination ip/network = 209.196.208.52/32

You first time mention the network 172.31.82.0/24 and I dont know what it is. Pleasey clarify the purpose/role of each IP address/network mentioned.

- Jouni

please find the details

Inside LAN (inside)   172.16.58.0/24----ASA-(DMZ) private(172.16.59.0/29)  ---VPN Router -- 122.168.191.232/29---Internet Router----SXM Network(172.31.82.0/23) and 209.196.208  and 52,209.196.208.10

Regards,

Saroj

Hi,

Ok that again clears some things up but you have not mentioned the IP address that you want us to use as the NAT IP address. Or if you want to NAT the whole LAN network 172.16.58.0/24 to some other NAT network perhaps?

Or perhaps you are meaning something else with the Hide NAT? I would presume you want to "hide" the internal network 172.16.58.0/24 by NATing it to some IP address.

Can you clear this up then we should be able to provide the configuration.

- Jouni

 The  DMZ is  configured  with  private  IP. so  cant  configure NAT.The  VPN  Device  connected  to  DMZ  use  private IP  172.16.59.0/29

and  the  Vpn dive  connect  the internet  Router  use  public IP 122.168.191.232/29

i need  to configure   hide  nat. 

please advice .

Hi,

From what I have understood so far all this traffic will use a L2L VPN connection between the sites. With that in mind I don't think there are real limitations on what NAT IP address you use as long as the VPN device has a route for it pointing towards the ASA.

It doesnt really matter if the link network between the ASA DMZ interface and the VPN Router is private IP address. You can still use any IP address you want as the NAT IP address to which you translate the LAN network 172.16.58.0/24

So again, I will have to know with what IP address will the network 172.16.58.0/24 be visible to the remote site? It will be the same IP address that you are configuring (or have configured) as the source network/IP in the L2L VPN configurations.

- Jouni

so please suggest  the hide nat  command  to  configure  on the ASA.

Regards,

Saroj

Hi,

I'll refer to the configuration I mentioned earlier which would match your current software level on the ASA.

So far the information you have given would seem to suggest the following situation

• Local network that needs to access the L2L VPN connection
  • 172.16.58.0/24
• Remote networks that are behind the L2L VPN at the remote site
  • 209.196.208.52/32
  • 209.196.208.10/32
  • 172.31.82.0/23

Are these correct? If so then the below configuration would seem to be the option for you

Software 8.2 and below

access-list VPN-POLICYPAT remark Policy NAT for L2L VPN
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.52

access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.10

access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 172.16.82.0 255.255.254.0

global (dmz) 200 interface

or

global (dmz) 200 <NAT ip address>

nat (inside) 200 access-list VPN-POLICYPAT

Now notice that above I give 2 different options on how to give the NAT IP address. The first one uses the DMZ interface IP address as the NAT IP address (as the IP address behind which the LAN network is "hidden"). The second option lets you use whatever IP address you want to insert there instead as the NAT IP address.

Now if you use the parameter "interface" in the "global" command this will mean that the NAT IP address is from the link network between the VPN device and the ASA. This would routing wise mean that the VPN router already has a route for that NAT IP address as its directly connected.

If you on the other hand specify some IP address in the "global" command as the NAT IP address then you will have to make sure that the VPN router has a route for that IP address pointing towards the ASA DMZ interface IP address.

I am not really sure if I can explain it any more clearly.

I am under the presumption that your setup and its requirements are the following

• LAN users from network 172.16.58.0/24 want to connect to networks 172.16.82.0/23 and hosts 209.196.208.10 and 209.196.208.52
• The mentioned destination network are located behind a L2L VPN connection that is formed by the VPN Router behind ASAs DMZ interface
• You want to "hide" your LAN network 172.16.58.0/24 behind a NAT IP address so that the remote/destination networks can see all connections coming from that single IP address

- Jouni

Sir,

i have  a  confuison  on the part below.

global (dmz) 200 interface

or

global (dmz) 200 <NAT ip address>

nat (inside) 200 access-list VPN-POLICYPAT

when i run  the command it  says  already  in use.

Please  help.

Regards,

Saroj

Hi,

The configuration example provided just gives you the configuration format to configure Dynamic Policy PAT where the NAT/PAT IP address is either configured as "interface" which means that the IP address of the interface configured inside "()" is used or you can use the format where you specify the IP address that you want to use as the NAT/PAT IP address.

Without seeing your actual firewall configuration its really hard to say what the actual situation is. But judging from what you say you might have entered the same command twice.

Also I am not sure what command you refer to. After which command above do you get the message?

- Jouni

Hi  Jouni,

i have  configured the command  you have  provided on the ASA but  still  its  not  working. Unable  to  send  traffic   from  user  system  to  the Vpn Device .

Also  unable  to  ping  the IP Address of the  Remote server configured  on the s2s VPN to access.

please find my ASA config and  guide me.

Hi,

Can your perform a "packet-tracer" command using the IP address between which the connections should work.

packet-tracer input inside tcp <source ip> 12345 <destination ip> <destination port>

Then show us the full output (including the exact command you use) of that command so we can see that atleast the correct configurations are matched and that the connection attempt is not dropped.

Also, we would need to now how the L2L VPN is configured? What are the source networks configured for your side? Is the NAT IP address used in the ASA configurations included in the L2L VPN configurations? And does the remote site also have the required configurations for the connections to go through? The problem might be related to the L2L VPN configurations itself rather than the ASA.

But if you let us know the above information that should again help us troubleshoot further.

- Jouni

please find  the config  i have  made.

access-list VPN-POLICYPAT remark Policy NAT for L2L VPN

access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.52

access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.10

access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.214.34

access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 172.16.82.0 255.255.254.0

global (DMZ-SXM) 7 172.16.59.1 netmask 255.255.255.255

nat (inside) 7 access-list VPN-POLICYPAT

i will Run  the Packet  trace  and  send the output  to you.

please find the packet  Trace  output  enclosed.

Also the  alrady sent  the congiuration  made in the ASA.

Regards,

Saroj