cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1091
Views
0
Helpful
2
Replies

How to Setup Policy-Based NAT for Partner S2S VPN

bwarnercincy
Level 1
Level 1

Hello,

I have been asked to setup a IPSec site-to-site VPN with a company partner.  They require that we NAT our internal hosts to a different network before sending across the tunnel.  These same internal hosts need regular Internet access.  I only want to NAT to a global address if the destination matches certain hosts or subnets.  Otherwise, the address should be sent to regular outbound NAT overload.

Have the following networks needing "conditional" NAT:

172.16.4.0/24

172.16.7.0/24

Remote networks on the partner side are:

10.0.60.0/24

10.0.72.0/24

They've asked that we NAT our hosts to 10.29.96.x.  They will then apply inbound filtering on 10.29.96.x.

Can anybody provide with the needed access list(s) and NAT statement(s) for my side?

This is a Cisco ASA 5520 to Cisco ASA 5520 IPSec tunnel...

Thanks to everyone in advance!!

Ben Warner

1 Accepted Solution

Accepted Solutions

Matt Lang
Level 1
Level 1

Ben,

Here's how I would go about it.  For argument's sake, let's say the partner is called Acme.

object-group network ACME-REMOTE

network 10.0.60.0 255.255.255.0

network 10.0.72.0 255.255.255.0

object-group network ACME-LOCAL

network 172.16.4.0 255.255.255.0

network 172.16.7.0 255.255.255.0

access-list ACME-L2L-PNAT permit ip object-group ACME-LOCAL object-group ACME-REMOTE

nat (inside) 50 access-list ACME-L2L-PNAT

global (outside) 50 10.29.96.1

This configuration will translate the traffic coming from your two internal subnets to 10.29.96.1 only when going to their two subnets.

Matt

View solution in original post

2 Replies 2

Matt Lang
Level 1
Level 1

Ben,

Here's how I would go about it.  For argument's sake, let's say the partner is called Acme.

object-group network ACME-REMOTE

network 10.0.60.0 255.255.255.0

network 10.0.72.0 255.255.255.0

object-group network ACME-LOCAL

network 172.16.4.0 255.255.255.0

network 172.16.7.0 255.255.255.0

access-list ACME-L2L-PNAT permit ip object-group ACME-LOCAL object-group ACME-REMOTE

nat (inside) 50 access-list ACME-L2L-PNAT

global (outside) 50 10.29.96.1

This configuration will translate the traffic coming from your two internal subnets to 10.29.96.1 only when going to their two subnets.

Matt

Thanks Matt!!

Ben Warner

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: