06-06-2012 02:36 PM - edited 03-11-2019 04:16 PM
Hello,
I'm hoping that someone can straighten me out. I don't have a ton of experience with ASA's and I've inherited one that I need to support. Currently it has several IPSec tunnels terminating on it. There is one tunnel that connects to an office with an network address conflict. To get around this, the previous administrator put a many-to-one NAT in place:
access-list vpntraffictonat extended permit ip 192.168.0.0 255.255.255.0 10.64.0.0 255.224.0.0
access-list vpntraffictonat extended permit ip 192.168.0.0 255.255.255.0 10.251.0.0 255.255.0.0
nat (data) 2 access-list vpntraffictonat
global (outside) 2 10.201.108.2
So all the remote PC's on 192.168.0.0 are only NAT'ed to192.168.108.2 when accessing resources on 10.64.0.0. Now they have requested the ability to connect to the remote PC's from 10.64.0.0. I assume that I need a Policy Static, so that I don't break traffic going over the other IPSec tunnels.
no nat (data) 2 access-list vpntraffictonat
no global (outside) 2 10.201.108.2
static (data,outside) 10.201.108.0 access-list vpntraffictonat
My understanding is that this will allow two-way one-to-one NAT between these two networks? Am I misunderstanding this use of the static command?
06-06-2012 11:38 PM
yes, you are absolutely correct.
however, you may need to change your crypto ACL as well. If you just have host 10.201.108.2 on your crypto ACL, you would need to change it to 10.201.108.0/24, and so is the other end.
06-07-2012 09:41 AM
Thank you for the response.
Yeah, the SA's are already set up for the /24, which made me wonder why they didn't just setup the network static to begin with. Thanks for the sanity check!
chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide