cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
333
Views
0
Helpful
5
Replies

Nat internal IPs with a logical IP

Anukalp S
Beginner
Beginner

Hello,

I have a query on natting on 8.4 ASA. We are going to configure IPsec tunnel with our client. Our client has provided a single ip(192.168.32.11) which would be the source at his end. Is it possible to Nat my end network(10.130.20.0/24) with logical ip (192.168.32.11) which is not configured anywhere.

here are details.

my end internal network(inside) : (10.130.20.0/24)

logical ip to be natted my internal ip:  (192.168.32.11)

Client end network : (10.100.10.0/24)

If yes, pls share command also.

1 Accepted Solution

Accepted Solutions

Hi,

I'm not quite sure what you mean here...

If you specifically want your LAN to show to the client network with a single IP address of 192.168.32.11 then you naturally would NOT do NAT0 as the NAT0 / NAT Exempt does no NAT for your LAN addresses. Wasnt the purpose to PAT all your LAN traffic to this single IP address of 192.168.32.11 before it goes to the REMOTE-LAN?

If you do PAT translation only towards the Client then you dont need to open anything from the Client towards your PAT IP as its a shared IP address for many LAN hosts. You cant really open anything towards PAT IP address.

Naturally you will need to make sure to allow any traffic you need in your "inside" interface ACL to the REMOTE-LAN unless that traffic is already allowed.

- Jouni

View solution in original post

5 Replies 5

Jouni Forss
Mentor
Mentor

Hi,

You can do a Dynamic PAT towards the remote network through the L2L VPN

The configuration would be something like this

object network REMOTE-LAN

subnet 10.100.10.0 255.255.255.0

object network LOCAL-LAN

subnet 10.130.20.0 255.255.255.0

object network L2L-VPN-PAT

host 192.168.32.11

nat (inside,outside) source dynamic LOCAL-LAN L2L-VPN-PAT destination static REMOTE-LAN REMOTE-LAN

Where

  • REMOTE-LAN = Is the object that defines the remote network for the NAT statement
  • LOCAL-LAN = Is the object that defines the local network for the NAT statement
  • L2L-VPN-PAT-IP = Is the object that defines the NAT/PAT address that will be visible to the remote network
  • nat = is the NAT statement that does the translation
    • Translation is done between "inside" and "outside" interface (if you have different names, apply those names to the configuration)
    • The NAT configuration translates the whole LAN network to a single PAT address while they try to connect the network under the object REMOTE-LAN

Notice that if you do this NAT configuration then your L2L VPN ACL that defines the traffic will only include the L2L-VPN-PAT object IP address as your source address for the L2L VPN connection

Hopefully the above information has been helpfull Please rate if so.

Naturally ask more if something was unclear

- Jouni

Thanks Jouni..

Do we need to perform No NAT there? Also would there access-list be needed to permit for this PAT ip( 192.168.32.11).

Hi,

I'm not quite sure what you mean here...

If you specifically want your LAN to show to the client network with a single IP address of 192.168.32.11 then you naturally would NOT do NAT0 as the NAT0 / NAT Exempt does no NAT for your LAN addresses. Wasnt the purpose to PAT all your LAN traffic to this single IP address of 192.168.32.11 before it goes to the REMOTE-LAN?

If you do PAT translation only towards the Client then you dont need to open anything from the Client towards your PAT IP as its a shared IP address for many LAN hosts. You cant really open anything towards PAT IP address.

Naturally you will need to make sure to allow any traffic you need in your "inside" interface ACL to the REMOTE-LAN unless that traffic is already allowed.

- Jouni

Yes, we want our LAN to show a single ip(PAT) 192.168.32.11 to client. I think there is no need to perform NAT0/exempt.

Thanks for your help Jouni.

Jouni..could you help me on other query that is not related to it.

I have below config of ASA 8.2(5) but i am going to migrate it to 8.4(3).Here are below conifg of 8.2(5). Can you share this config in 8.4(3). That would really be appreciated.

access-list www extended permit tcp host 10.110.120.20 any eq www

access-list www extended permit tcp host 10.110.120.20 any eq https

access-list www extended permit tcp host 10.110.120.32 any eq www

access-list www extended permit tcp host 10.110.120.32 any eq https

nat (inside) 2 access-list www

global (outside) 2 141.15.114.93 netmask 255.255.255.255

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: