Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
0
Helpful
5
Replies

NAT Help

Go to solution
Mike Hogenauer
Level 1
Level 1

‎11-13-2013 02:52 PM - edited ‎03-11-2019 08:04 PM

Hi –

I just wanted to verify my config and make sure I’m doing this correctly.

I’m setting up a new ASA VPN firewall for all our vendor site-to-site connections. I don’t want to expose my inside subnets to the vendors so I was going to carve out subnets from a 10.3.0.0/16 space to NAT the traffic.

Example:

-------------------------------

Vendor X subnet

Object network VEND_X_VPN

192.168.1.0 /24

My Internal subnet for vendor X to connect to”

Object network MY_VPN

10.1.60.0/24

Object network VEND_NAT

network 10.3.1.0 255.255.255.0

NAT Statement – this would be applied on my firewall so I’m assuming the Vendor will put the NAT’d address (10.3.1.0/24)in his crypto map to connect to.

nat (inside,outside) source dynamic object-group MY_VPN obj-VEND_NAT destination static VEND_X_VPN VEND_X_VPN

-------------------------------

Does this look right?

Thanks

Mike

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-13-2013 04:37 PM

On your local VPN math address ACL you need to put the 10.3.1.0/24

Value our effort and rate the assistance!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jumora
Level 7
Level 7

‎11-13-2013 04:36 PM

Just change it to source static:

nat (inside,outside) source static object-group MY_VPN obj-VEND_NAT destination static VEND_X_VPN VEND_X_VPN

The VPN portion is correct.

Value our effort and rate the assistance!
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-13-2013 04:37 PM

On your local VPN math address ACL you need to put the 10.3.1.0/24

Value our effort and rate the assistance!
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-13-2013 04:45 PM

If you have any doubts please let me know.

Please mark as answered and rate the assistance.

Value our effort and rate the assistance!
0 Helpful

Go to solution
Mike Hogenauer
Level 1
Level 1

‎11-13-2013 06:53 PM

Thanks Jumora!

So basically my crypto map ACL will look like:

ACL crypto 1 permit my_vpn vend_nat

So I dint need to reference the vendors 192 subnet because the inside interface is doing the NATing correct?

Regards,

Mike

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to Mike Hogenauer

‎11-14-2013 09:00 AM

Ok wait, from what I understood what you were doing was NATTING your local network so that the remote VPN network would not know of your real network 10.1.60.0/24 so you were going to translate it to 10.3.1.0/24 when going to

192.168.1.0 /24. If this was the case the NAT rule that I going to place under this conversation is correct:

nat (inside,outside) source static object-group MY_VPN obj-VEND_NAT destination static VEND_X_VPN VEND_X_VPN

Then what you need to add on the match address ACL would be somehting like this:

access-list VPN permit ip 10.3.1.0 255.255.255.0 192.168.1.0  255.255.255.0

That is what I was saying.


Value our effort and rate the assistance!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card