Solved: Re: Identity NAT configuration for Remote Access VPN and Site to

Janardhan Meesala · ‎03-10-2011

Dear Support-Team,

I am try to configure ASA 5510 with 8.3 IOS version.

My internal users are 192.168.2.0/24 and i configured dynamic PAT and are all internet .

Below is the my configuration:

object network SPM-INSIDE
subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic interface

Here i want configure identity NAT for remote access VPN.

Remote users IP pool is 10.10.10.0 to 10.10.10.10

i know to configure NAT exemption in IOS 7.2 version. But here IOS 8.3 version. Will you help to configure NAT exemption for 192.168.2.0/24 to my remote pool( 10.10.10.0 to 10.10.10.10).

And, also need to configure site to site VPN for IP's:

Site A: 192.168.2.0/24

Site B: 192.168.3.0/24

Here also need to configure NAT exemption for above IPs in IOS 8.3 version.

Thanks in advance

Regards,

Janardhan

mirober2 · ‎03-11-2011

Hi Janardhan,

This is normal behavior. With the security plus license, interfaces Ethernet0/0 and Ethernet0/1 become gigabit interface but they are still referred to as "Ethernet" by the ASA. However, if you look at the output of 'show interface', you will see that the speed should be 1000 Mbps:

Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

This is documented in the licensing guide for the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license.html#wp1456941

Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as "Ethernet" in the software.

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎03-10-2011

Hi Janardhan,

Here is an example of the configuration you'd want to use for identity NAT. These lines assume your VPN connections terminate on the outside interface:

object network obj-192.168.2.0
 subnet 192.168.2.0 255.255.255.0
object network remote_pool
 range 10.10.10.0 10.10.10.10
object network obj-192.168.3.0
 subnet 192.168.3.0 255.255.255.0
!
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static remote_pool remote_pool
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.3.0 obj-192.168.3.0

These links may also help in the future:

https://supportforums.cisco.com/docs/DOC-9129

https://supportforums.cisco.com/videos/1014

Hope that helps.

-Mike

Janardhan Meesala · ‎03-10-2011

HI Mike,

Thanks for your response,

I configured Identiry NAT as your said.

After this i configured Remote pool using the command:

ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0 if i enter

this command it shows error as " Addresses overlap with existing NAT"

Kindly help me to solve this issue.

Regards,

Janardhan

On Thu, Mar 10, 2011 at 10:03 PM, mirober2 <

mirober2 · ‎03-11-2011

Hi Janardhan,

This error is caused by a known bug:

CSCtg99839 - Cannot Create a Network Range Object Overlapping with a Local Pool

The bug is still being worked on and hasn't been fixed yet. As a workaround, you could use the following config instead (the order of the commands is important):

no nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static remote_pool remote_pool
no object network remote_pool
!
ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0
!
object-group network remote_pool
   network-object host 10.10.10.0
   network-object host 10.10.10.1
   network-object host 10.10.10.2
   network-object host 10.10.10.3
   network-object host 10.10.10.4
   network-object host 10.10.10.5
   network-object host 10.10.10.6
   network-object host 10.10.10.7
   network-object host 10.10.10.8
   network-object host 10.10.10.9
   network-object host 10.10.10.10
!
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static remote_pool remote_pool

It would also be a good idea to open a TAC case for this issue so it can be linked to the bug, which in turn will help to get a fix available.

Hope that helps.

-Mike

Janardhan Meesala · ‎03-11-2011

HI Mike,

It was solved...

I used sunet instead of range while creating 'remote-pool' network object.

ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0

object network remote-pool

subnet 10.10.10.0 255.255.255.240

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (management,outside) source static obj-192.168.2.0 obj-192.168.2.0

destination static remote-pool remote-pool

Finally i have query ... i.e My firewall is ASA 5510..

As i studied in the dasheet its says that ASA 5510 totally had 5

fastethernet interfaces in base license. If we upgrade the license with

security plus than of them will become gigabit interafaces.

But here my problem is my firewall showing all interfaces are ethernet

interfaces....

Will you explainn what is the problem..

Regards,

Janardhan

On Fri, Mar 11, 2011 at 7:41 PM, mirober2 <

mirober2 · ‎03-11-2011

Hi Janardhan,

This is normal behavior. With the security plus license, interfaces Ethernet0/0 and Ethernet0/1 become gigabit interface but they are still referred to as "Ethernet" by the ASA. However, if you look at the output of 'show interface', you will see that the speed should be 1000 Mbps:

Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)

This is documented in the licensing guide for the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license.html#wp1456941

Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as "Ethernet" in the software.

Hope that helps.

-Mike

Janardhan Meesala · ‎03-11-2011

Hi Mike,

I got it..

I seen the output sh inter eth 0/0

and showing speed as 100 mbps..

And, is my firewall support trunk( ASA 5510 with base license)...

If support how to configure Router on a stick.....

Regards,

Janardhan

On Fri, Mar 11, 2011 at 11:16 PM, mirober2 <

Identity NAT configuration for Remote Access VPN and Site to Site VPN