Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2410
Views
0
Helpful
8
Replies

Setting up NAT on VPN Tunnel

Go to solution
russgunther
Level 1
Level 1

‎09-16-2011 02:26 PM - edited ‎03-11-2019 02:26 PM

I have an ASA 5505 with a tunnel to a third party network. The tunnel connection comes up fine but I can't get the NAT to work. They are requiring that I send them a specific IP address as the source IP. Here are the specifics:

Source Network: 10.10.1.0/24

Destination Hosts: 172.16.1.171 and 172.16.1.172

NAT IP: 192.168.42.1

If I disable NAT I can get through the tunnel but the admin sees me coming through as 10.10.1.x If I enable NAT I can't hit the tunnel at all.

object-group network DM_INLINE_NETWORK_1

network-object host 172.16.1.171

network-object host 172.16.1.172

access-list inside_access_in extended permit ip 10.10.1.0 255.255.255.0 172.16.1.168 255.255.255.248 log debugging

access-list inside_access_in extended permit ip any any

access-list split-tunnel standard permit 10.10.1.0 255.255.255.0

access-list outside_nat_static_1 extended permit ip host 172.168.1.172 host 192.168.42.1

access-list outside_nat_static_1 extended permit ip host 172.168.1.171 host 192.168.42.1

access-list inside_nat_static extended permit ip 10.10.1.0 255.255.255.0 172.168.1.168 255.255.255.248

access-list outside_2_cryptomap extended permit ip 10.10.1.0 255.255.255.0 172.16.1.168 255.255.255.248

access-list inside_nat_static_1 extended permit ip 10.10.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

global (outside) 3 192.168.42.1

nat (inside) 3 access-list inside_nat_static_1

access-group inside_access_in in interface inside

Am I just missing something?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to russgunther

‎09-19-2011 09:45 AM

Hello Russ,

I am glad that everything is working fine now. If you have any other question related to this issue please let me know otherwise please mark the question as answered.

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-16-2011 03:38 PM

Hello Russ Gunther,

If I understand the interesting traffic is going to be between 10.10.1.0  going to 172.16.1.171 and 172.16.1.172

Would you mind to try this:

static (inside,outside) 192.168.42.1 access-list inside_nat_static_1

Try this and let me know if it helps you

Best Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
russgunther
Level 1
Level 1
In response to Julio Carvajal

‎09-17-2011 06:39 AM

Hi Julio,


I cannot apply that command. I receive a "global address overlaps with mask error".

Regards,

Russ

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to russgunther

‎09-17-2011 07:19 AM

Hi,

just change the crypto map ACL to specify interesting traffic coming from natted address. But they'll have to do the same mirrored ACL on the other side.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
russgunther
Level 1
Level 1
In response to cadet alain

‎09-17-2011 07:58 AM

Hi!

The VPN tunnel is passing traffic successfully already, so I believe that crypto map ACL is correctly set up. However it is just not natting the source address properly. The other side is seeing my address of 10.10.1.x instead of 192.168.42.1. is the ACL as listed above set up incorrectly?

Thanks for your help.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to russgunther

‎09-17-2011 11:11 AM

Hi,

if you want to NAT when doing a VPN tunnel then you must make the natted traffic the interesting traffic that will bring up the tunnel and get transported over it.So in your crypto ACL you must specify src IP as the natted one not the original one.That's the way I think it should be done.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-17-2011 03:20 PM

Hi again Russ,

Take a look at this VPN configuration example, this is going to show you what to do

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

That is exactly what you got to do.

As you can see on this document they want to nat the inside source when it goes to the VPN Tunnel, so it is the same scenario.

I thinked you did not remove the previous commands, that is why the command I sent you was not allowed by the ASA CLI.

Please let me know if you have any questions regarding this document, I will be more than glad to help you

Best Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
russgunther
Level 1
Level 1
In response to Julio Carvajal

‎09-19-2011 06:42 AM

Julio,

You are correct. I had conflicting commands. I removed all the entries relating to this tunnel from my config and started fresh with the link you provided and everything came up perfectly.

Thank you for your help and support.

Russ

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to russgunther

‎09-19-2011 09:45 AM

Hello Russ,

I am glad that everything is working fine now. If you have any other question related to this issue please let me know otherwise please mark the question as answered.

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card