cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1563
Views
0
Helpful
6
Replies

Policy NAT

b_rasheed
Level 1
Level 1

Hello folks,

I am new to policy NAT, we have ASA 5505 and I am trying to create a policy NAT to connect my network to anohter location through the VPN tunnel, I do not have any problem creating the VPN tunnel, the only problem is:

my inside network is 10.0.5.0/24  and my other end is 192.168.181.0 /28

I am trying to connect to 192.168.181.0 /28 by using this subnet 192.168.182.0 /28

I want the other end to see my network as 192.168.182.0 /28

access-list 105 extended permit ip 192.168.182.16 255.255.255.240 192.168.181.16 255.255.255.240
access-list NAT-T extended permit ip host 10.0.5.1 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.240

then the normal configuratoin for the VPN tunnel.

Thanks for your help.

2 Accepted Solutions

Accepted Solutions

witsang
Cisco Employee
Cisco Employee

Hi,

You'll want to use a policy nat with the 'static' command to achieve this. The mapped subnet needs to be the same size as the original subnet. For example, 10.0.5.0/24 can be mapped to 192.168.182.0/24, but not 192.168.182.0 /28.

Here is the sample config:

access-list policy-nat permit ip 10.0.5.0 255.255.255.0 192.168.181.0 255.255.255.0

static (inside,outside) 192.168.182.0 access-list policy-nat

For a more detailed example, see PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

View solution in original post

Panos Kampanakis
Cisco Employee
Cisco Employee

Your config should be something like this


access-list NAT-T extended permit ip host 10.0.5.0 255.255.255.0 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.0


You need to have the available ips to be as many as your internal hosts though in order to be able to translate them all.

I hope it helps.

PK

View solution in original post

6 Replies 6

witsang
Cisco Employee
Cisco Employee

Hi,

You'll want to use a policy nat with the 'static' command to achieve this. The mapped subnet needs to be the same size as the original subnet. For example, 10.0.5.0/24 can be mapped to 192.168.182.0/24, but not 192.168.182.0 /28.

Here is the sample config:

access-list policy-nat permit ip 10.0.5.0 255.255.255.0 192.168.181.0 255.255.255.0

static (inside,outside) 192.168.182.0 access-list policy-nat

For a more detailed example, see PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Thaks for yoru response, I am wondering about the same size of subnet, is this a limitation with the ASA or what?

I will try it tomorrow then let you guys know, thanks for the link.

Panos Kampanakis
Cisco Employee
Cisco Employee

Your config should be something like this


access-list NAT-T extended permit ip host 10.0.5.0 255.255.255.0 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.0


You need to have the available ips to be as many as your internal hosts though in order to be able to translate them all.

I hope it helps.

PK

Thanks alot for your response.

Please let us know if it works by marking this as answered so others can benefit from it in the futre.

Take care,

PK

it's working like charm, thanks a lot for your answer, I tried both solutions your method and the other method, both methods are working with /24, I tried /28 but it did not work, Witsang  was right about the size of the subnet.

Thanks again.

Review Cisco Networking for a $25 gift card