08-21-2009 05:58 AM - edited 03-11-2019 09:08 AM
I have the following scenario; due to a 3rd party issue they have no route to my Remote Access VPN IP POOL and their default gateway doesn't hit my ASA.
I want to enable NAT so that my VPN IP POOL is hidden behind the inside interface of the firewall (as they can route to that). Below is a snippet of my config but it doesn't work.. any ideas?
(The Remote Access VPN works fine to the rest of the network, details have been changed to protect the innocent ;))
interface e0
ip addr 1.1.1.1 255.255.255.0
sec level 0
nameif outside
interface e1
ip addr 192.168.1.1 255.255.255.0
sec level 100
nameif inside
ip local pool VPN_POOL 192.168.10.1-192.168.19.100 mask 255.255.255.0
access-list NAT_VPN permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
global inside 10 interface
nat (outside) 10 access-list NAT_VPN
I think the issue is that I'm implementing "NAT & Global" from a low sec-level to a high, but you can't do this command with "statics" 'cause it complains that the subnet mask in the ACL of the source isn't a host.
Thanks in Advance,
Nick
08-27-2009 01:49 PM
In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is 10.10.1.0/24.
Create an access-list for Policy NAT with real source and a destination IP address.
access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 host 172.16.1.1
access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 1.1.1.0 255.255.255.0
Create a static command that states that when source is 10.10.1.0 and destination is 172.16.1.1 or 1.1.1.0, change it to 172.16.5.0
static (inside,outside) 172.16.5.0 access-list POLICYNAT
Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example, 172.16.5.0.
access-list VPN extended permit ip 172.16.5.0 255.255.255.0 host 172.16.1.1
access-list VPN extended permit ip 172.16.5.0 255.255.255.0 1.1.1.0 255.255.255.0
Apply the crypto access-list to crypto map.
crypto map VPN 10 match address VPN
09-02-2009 05:34 AM
Hi,
Thanks for your response, but I don't think that'll do what I've asked.
I want to hide behind the interface of the firewall, I'm sure that...
static (inside,outside) 172.16.5.0 access-list POLICYNAT
Means that if 10.10.1.12 is the source, then the source nat will be 172.16.5.12
...also I want to nat the other way round... outside,inside not inside,outside ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide