08-02-2021 12:10 PM
Hopefully my terminology is correct. I'm not a Cisco expert by any means.
I have an ASA5506 at SiteA listening on 10.10.1.1 and an ASA5506 at SiteB listening on 10.10.20.1 and a site-to-site VPN between the two.
I have another device at SiteA listening on 10.10.1.9 that will only respond to traffic on the same subnet. It will not route traffic to a gateway, so all traffic to and from this device must be on the 10.10.1.0/24 subnet.
What kind of NAT or PAT rule do I need to configure to get a device on the 10.10.20.0/24 subnet at SiteB to be able to communicate with this 10.10.1.9 device at SiteA?
Thanks in advance,
--Rob
Solved! Go to Solution.
08-19-2021 12:55 PM
Hi @rschember1,
Your command looks ok, but you'll need to remove 'no-proxy-arp' part. Since there is no 'real' host behind these IPs, ASA must reply to ARP requests. If you use this command, you are telling ASA not to reply to ARP requests, so host can't send traffic at all.
On the other hand, I believe you don't need to create NAT rule on SiteB:
BR,
Milos
08-02-2021 12:46 PM
You will have to update both ASA's "inside,outside" NAT rules. Choose an unused address in the SiteA 10.10.1.0 subnet that will map to the device at SiteB needing to talk. The on ASA A, the NAT rule is that traffic destined to that address translates the DESTINATION to the real address at SiteB. Likewise the NAT rule at SiteB is the mirror image - it translates the SOURCE from its real address to the mapped address in SiteA's network.
08-03-2021 05:47 AM
Hi Marvin --
Thank you for the reply, but I think I'm missing something here. I tried following your description and came up with the following two rules, but it doesn't allow traffic to flow and I'm not sure why.
SiteA:
If the source is 10.10.1.9 and the destination is the unused address 10.10.1.8, change the destination to 10.10.20.9
nat (inside,outside) source static obj-10.10.1.9 obj-10.10.1.9 destination static obj-10.10.1.8 obj-10.10.20.9 no-proxy-arp
SiteB:
If the source is 10.10.20.9 and the destination is 10.10.1.9, change the source to the unused 10.10.1.8
nat (inside,outside) source static obj-10.10.20.9 obj-10.10.1.8 destination static obj-10.10.1.9 obj-10.10.1.9 no-proxy-arp
Any help is appreciated.
--Rob
08-19-2021 12:55 PM
Hi @rschember1,
Your command looks ok, but you'll need to remove 'no-proxy-arp' part. Since there is no 'real' host behind these IPs, ASA must reply to ARP requests. If you use this command, you are telling ASA not to reply to ARP requests, so host can't send traffic at all.
On the other hand, I believe you don't need to create NAT rule on SiteB:
BR,
Milos
08-19-2021 05:25 AM - edited 08-19-2021 05:38 AM
Hi Marvin --
Are you able to help with my response above? I still haven't found a working solution.
Thanks,
--Rob
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: