Solved: Re: Policy NAT

b_rasheed · ‎11-04-2010

Hello folks,

I am new to policy NAT, we have ASA 5505 and I am trying to create a policy NAT to connect my network to anohter location through the VPN tunnel, I do not have any problem creating the VPN tunnel, the only problem is:

my inside network is 10.0.5.0/24 and my other end is 192.168.181.0 /28

I am trying to connect to 192.168.181.0 /28 by using this subnet 192.168.182.0 /28

I want the other end to see my network as 192.168.182.0 /28

access-list 105 extended permit ip 192.168.182.16 255.255.255.240 192.168.181.16 255.255.255.240
access-list NAT-T extended permit ip host 10.0.5.1 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.240

then the normal configuratoin for the VPN tunnel.

Thanks for your help.

witsang · ‎11-04-2010

Hi,

You'll want to use a policy nat with the 'static' command to achieve this. The mapped subnet needs to be the same size as the original subnet. For example, 10.0.5.0/24 can be mapped to 192.168.182.0/24, but not 192.168.182.0 /28.

Here is the sample config:

access-list policy-nat permit ip 10.0.5.0 255.255.255.0 192.168.181.0 255.255.255.0

static (inside,outside) 192.168.182.0 access-list policy-nat

For a more detailed example, see PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

View solution in original post

Panos Kampanakis · ‎11-04-2010

Your config should be something like this

access-list NAT-T extended permit ip host 10.0.5.0 255.255.255.0 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.0

You need to have the available ips to be as many as your internal hosts though in order to be able to translate them all.

I hope it helps.

PK

View solution in original post

witsang · ‎11-04-2010

Hi,

You'll want to use a policy nat with the 'static' command to achieve this. The mapped subnet needs to be the same size as the original subnet. For example, 10.0.5.0/24 can be mapped to 192.168.182.0/24, but not 192.168.182.0 /28.

Here is the sample config:

access-list policy-nat permit ip 10.0.5.0 255.255.255.0 192.168.181.0 255.255.255.0

static (inside,outside) 192.168.182.0 access-list policy-nat

For a more detailed example, see PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

b_rasheed · ‎11-04-2010

Thaks for yoru response, I am wondering about the same size of subnet, is this a limitation with the ASA or what?

I will try it tomorrow then let you guys know, thanks for the link.

Panos Kampanakis · ‎11-04-2010

Your config should be something like this

access-list NAT-T extended permit ip host 10.0.5.0 255.255.255.0 192.168.181.16 255.255.255.240

nat (inside) 15 access-list NAT-T

global (outside) 15 192.168.182.16 netmask 255.255.255.0

You need to have the available ips to be as many as your internal hosts though in order to be able to translate them all.

I hope it helps.

PK

b_rasheed · ‎11-04-2010

Thanks alot for your response.

Panos Kampanakis · ‎11-04-2010

Please let us know if it works by marking this as answered so others can benefit from it in the futre.

Take care,

PK

b_rasheed · ‎11-05-2010

it's working like charm, thanks a lot for your answer, I tried both solutions your method and the other method, both methods are working with /24, I tried /28 but it did not work, Witsang was right about the size of the subnet.

Thanks again.