Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1757
Views
3
Helpful
3
Replies

NAT/PAT config over IPSec VPN connection

Go to solution
nickhesson
Level 1
Level 1

‎10-30-2012 12:31 AM - edited ‎03-11-2019 05:15 PM

Hello all,

Sorry i'm sure there are other threads on this question.  But I can't seem to get anything to work.  This is what we are trying to get done:

PAT for 10network.png

Site A needs to access the Host in Site B.  Of course the Host has a Default Router that has a route to 10.1.1.X.  Is there a way to PAT the source traffic of 10.1.1.X to the IP address of the inside interface of ASA2 or to another 192.168.12.X/26 address. Anything we have tried, the traffic always lands on the main NAT exemption rule for the tunnel:

nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup

Can someone point me in the right direction?  Again sorry if theres a common thread on this, that I can't seem to find.

Thanks for your time and help,

Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to nickhesson

‎11-02-2012 06:08 PM

Change the NAT rule to "unidirectional" as follows:

nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X  destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup unidirectional

Then "clear xlate", and leave the object NAT as the above.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-30-2012 12:39 AM

Leave the NAT rule, and you would also need to configure dynamic NAT:

object network obj-10.1.1.0

   subnet 10.1.1.0 255.255.255.0

   nat (outside,inside) dynamic interface

Then "clear xlate" after the above configuration.

Go to solution
nickhesson
Level 1
Level 1
In response to Jennifer Halim

‎11-02-2012 03:37 PM

Wow, Thanks for the quick reply!  Unfortunately this didn't work for me.  I added a similar NAT rule before posting.  It wasn't an Object NAT, but something very close.  Maybe the Object does have something to do with this. 

If I add the Object NAT, run Clear xlates.  New translations will still use the above NAT statement. 

So I made that rule inactive, and connections from Site A to Host work.  But now connections from Site B don't get the NAT exemption going back to Site A. 

So currently we have this on (ASA2):

object network Obj_10.1.1.X

subnet 10.1.1.0 255.255.255.0

object network Obj_192.168.12.X

subnet 192.168.12.0 255.255.255.192

nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup inactive

object network obj-10.1.1.0

subnet 10.1.1.0 255.255.255.0

nat (outside,inside) dynamic interface

HOBUFWSS01# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static Obj_192.168.12.X Obj_192.168.12.X   destination static Obj_10.1.1.X Obj_10.1.1.X inactive

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (outside) to (inside) source dynamic obj-10.1.1.0 interface

    translate_hits = 141, untranslate_hits = 22

Note we do have two different objects obj-10.1.1.0 and Obj_10.1.1.X.

What am i doing wrong?  Got closer.  Also, the clients in Site B that need access to Site A point directly to ASA2 as their default router.

Thanks,

Nick

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to nickhesson

‎11-02-2012 06:08 PM

Change the NAT rule to "unidirectional" as follows:

nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X  destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup unidirectional

Then "clear xlate", and leave the object NAT as the above.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card