02-18-2013 04:53 AM - edited 03-11-2019 06:02 PM
Hello,
I have a query on natting on 8.4 ASA. We are going to configure IPsec tunnel with our client. Our client has provided a single ip(192.168.32.11) which would be the source at his end. Is it possible to Nat my end network(10.130.20.0/24) with logical ip (192.168.32.11) which is not configured anywhere.
here are details.
my end internal network(inside) : (10.130.20.0/24)
logical ip to be natted my internal ip: (192.168.32.11)
Client end network : (10.100.10.0/24)
If yes, pls share command also.
Solved! Go to Solution.
02-18-2013 06:01 AM
Hi,
I'm not quite sure what you mean here...
If you specifically want your LAN to show to the client network with a single IP address of 192.168.32.11 then you naturally would NOT do NAT0 as the NAT0 / NAT Exempt does no NAT for your LAN addresses. Wasnt the purpose to PAT all your LAN traffic to this single IP address of 192.168.32.11 before it goes to the REMOTE-LAN?
If you do PAT translation only towards the Client then you dont need to open anything from the Client towards your PAT IP as its a shared IP address for many LAN hosts. You cant really open anything towards PAT IP address.
Naturally you will need to make sure to allow any traffic you need in your "inside" interface ACL to the REMOTE-LAN unless that traffic is already allowed.
- Jouni
02-18-2013 05:04 AM
Hi,
You can do a Dynamic PAT towards the remote network through the L2L VPN
The configuration would be something like this
object network REMOTE-LAN
subnet 10.100.10.0 255.255.255.0
object network LOCAL-LAN
subnet 10.130.20.0 255.255.255.0
object network L2L-VPN-PAT
host 192.168.32.11
nat (inside,outside) source dynamic LOCAL-LAN L2L-VPN-PAT destination static REMOTE-LAN REMOTE-LAN
Where
Notice that if you do this NAT configuration then your L2L VPN ACL that defines the traffic will only include the L2L-VPN-PAT object IP address as your source address for the L2L VPN connection
Hopefully the above information has been helpfull Please rate if so.
Naturally ask more if something was unclear
- Jouni
02-18-2013 05:42 AM
Thanks Jouni..
Do we need to perform No NAT there? Also would there access-list be needed to permit for this PAT ip( 192.168.32.11).
02-18-2013 06:01 AM
Hi,
I'm not quite sure what you mean here...
If you specifically want your LAN to show to the client network with a single IP address of 192.168.32.11 then you naturally would NOT do NAT0 as the NAT0 / NAT Exempt does no NAT for your LAN addresses. Wasnt the purpose to PAT all your LAN traffic to this single IP address of 192.168.32.11 before it goes to the REMOTE-LAN?
If you do PAT translation only towards the Client then you dont need to open anything from the Client towards your PAT IP as its a shared IP address for many LAN hosts. You cant really open anything towards PAT IP address.
Naturally you will need to make sure to allow any traffic you need in your "inside" interface ACL to the REMOTE-LAN unless that traffic is already allowed.
- Jouni
02-18-2013 06:30 AM
Yes, we want our LAN to show a single ip(PAT) 192.168.32.11 to client. I think there is no need to perform NAT0/exempt.
Thanks for your help Jouni.
02-18-2013 06:39 AM
Jouni..could you help me on other query that is not related to it.
I have below config of ASA 8.2(5) but i am going to migrate it to 8.4(3).Here are below conifg of 8.2(5). Can you share this config in 8.4(3). That would really be appreciated.
access-list www extended permit tcp host 10.110.120.20 any eq www
access-list www extended permit tcp host 10.110.120.20 any eq https
access-list www extended permit tcp host 10.110.120.32 any eq www
access-list www extended permit tcp host 10.110.120.32 any eq https
nat (inside) 2 access-list www
global (outside) 2 141.15.114.93 netmask 255.255.255.255
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: