Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
8
Replies

Policy NAT Assistance

Go to solution
pootboy69
Level 1
Level 1

‎10-12-2010 09:46 AM - edited ‎03-11-2019 11:53 AM

We have an ASA5510s which has a VPN to a remote client with networks of 192.168.61.0/24 and 192.168.62.0/24 (note that these are the actual network IP ranges and not used here to substitute for public IPs).  One of our internal networks is 10.2.1.0/24.  We used to include this in the VPN but the remote client's company has recently implemented 10.2.0.0/16 at their location and cannot readily change it.

I need to be able to NAT all of our 10.2.1.0/24 network into a single address, say 10.10.20.200, to be able to pass it on to the remote user.  I have tentatively recommended:

access-list Internal_nat_outbound line 1 extended permit ip 10.2.1.0 255.255.255.0 host 10.10.20.200
nat (Internal) 1 access-list Internal_nat_outbound tcp 0 0 udp 0

Please advise if this will do what I need, based on the above explanation or if I'm missing something.  This special application of NAT is new to me and I have no experience in doing it.  Thanx!

Wolf

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pootboy69

‎10-13-2010 09:32 AM

Hi,

Well we have 2 options. If you are going to substitue the network 10.2.1.0/24 with the PAT IP address, the ACL that you will have then vpn-NavMD-Laker will be the crypto ACL. For the NAT, you will need another ACL from 10.2.1.0/24 to 10.2.0.0/16 and you can not use the same ACL in the nat as you have mentioned here.

Thanks and Regards,

Prapanch

View solution in original post

0 Helpful
8 Replies 8

Go to solution
manish arora
Level 6
Level 6

‎10-12-2010 10:14 AM

follow this :-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

see if this helps you.

Thanks

Manish

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to manish arora

‎10-13-2010 07:40 AM

Thank you for the suggested document!  However, this does not solve the issue.  I need to find a way to NAT our 10.2.1.0/24 network into a single 10.10.20.200 address with NAT overload.  Thanx!

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pootboy69

‎10-13-2010 08:11 AM

Hi,

The way you have suggested will not work. What you need to do is as below:

access-list Internal_nat_outbound line 1 extended permit ip 10.2.1.0 255.255.255.0 10.2.0.0 255.255.0.0

nat (Internal) 1 access-list Internal_nat_outbound

global (External) 1 10.10.20.200

Also, your crypto ACL should point from 10.10.20.200  -----> 10.2.0.0 255.255.0.0.

This should PAT if traffic is flowing according to the access-list Internal_nat_outbound. I have assumed here that "External" is the name of your outside interface. Let me know if this works.

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to praprama

‎10-13-2010 08:19 AM

Thank you for your reply!  However, there are two things I do not understand (I am new to ASA, having only worked with Juniper and Nokia firewalls in the past).  Why is the access-list using the 16-bit network of 10.2.0.0 and how (and why) do I "point" the crypto ACL to it?  There are two other networks currently defined in the current l2l IPsec tunnel.  Thanx!

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pootboy69

‎10-13-2010 08:26 AM

Hi,

I was under the impression based on the original post that the remote end network is a 10.2.0.0/16. Is that right?

If so, then the access-list for the NAT says that (when packet is going from 10.2.1.0/24 to 10.2.0.0/16 and is to be routed out the External interface, dynamically PAT (overload) the source IP addresses to the 10.10.20.200 IP address.

The crypto ACL has to be configured that way because the we need this to be encrypted and sent across the tunnel and hence it is from 10.2.1.0/24 -----> 10.10.20.200.

Hope that clears things!!

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to praprama

‎10-13-2010 08:54 AM

Thank you and my apologies for not being clear enough.  The current configuration for this VPN is:

object-group network LakerMN-NavMAD
description trusted networks from Laker MN to Navitus Madison
network-object 10.10.20.0 255.255.255.0
network-object 10.2.1.0 255.255.255.0
object-group network NavMAD-LakerMN
description Navitus IPs that can get to Laker MN
network-object 192.168.82.0 255.255.255.0
network-object 192.168.61.0 255.255.255.0
network-object 192.168.62.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0

access-list vpn-NavMD-Laker extended permit ip object-group LakerMN-NavMAD object-group NavMAD-LakerMN
access-list vpn-NavMD-Laker extended permit ip object-group NavMAD-LakerMN object-group LakerMN-NavMAD

I need to remove the line "network-object 10.2.1.0 255.255.255.0" in the "object-group network LakerMN-NavMAD" and replace it with the correct policy NAT to translate our 10.2.1.0/24 network into a single (NAT overload) address of 10.2.1.200.  So, per your suggestion, using my ACL name for this VPN, is this correct and complete?:

access-list vpn-NavMD-Laker line 1 extended permit ip 10.2.1.0 255.255.255.0 10.2.0.0 255.255.0.0
nat (Internal) 1 access-list vpn-NavMD-Laker
global (External) 1 10.10.20.200

I genuinely appreciate your patience!!  Thanx!

Wolf

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to pootboy69

‎10-13-2010 09:32 AM

Hi,

Well we have 2 options. If you are going to substitue the network 10.2.1.0/24 with the PAT IP address, the ACL that you will have then vpn-NavMD-Laker will be the crypto ACL. For the NAT, you will need another ACL from 10.2.1.0/24 to 10.2.0.0/16 and you can not use the same ACL in the nat as you have mentioned here.

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to praprama

‎10-13-2010 12:17 PM

Thank you for the support and patience.  I'll try this tomorrow.

Regards,

Wolf

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card