02-27-2015 09:43 AM - edited 03-11-2019 10:34 PM
Hello all,
We need your assistance in helping us construct a tunnel on ASA 5510 to our vendor's servers . We were given a 10-network unique IP address ( to add a level of complexity, we are using the same network on our internal interface, so I am worried about routing issues) through which we must connect. The security and other parameters are set, but I do not know how to send all traffic addressed to vendor's machines through the tunnel.
Narrative:
Send all traffic from server 192.168.123.456 and subnet 192.168.456.0/24 to 123.456.789.100 through tunnel X via address 10.123.456.789, while making sure that the rest of traffic to outside goes through standard ASA outside interface, and the 10.0.0.0 traffic remains routed properly.
Thanks for your assistance. This issue has been giving me continuous headache, any help would be greatly appreciated.
Regards,
Plamen
Solved! Go to Solution.
02-27-2015 10:49 AM
Hi Plamen,
If i have understood correctly, your requirement is below:
Subnet 192.168.45.0/24 should be natted to 10.123.45.78 while it needs to go to 12.45.78.100?
Is that correct? If yes, then you need to do manual nat or twice nat and that should take care of the issue. All other traffic should continue to flow using the existing auto nat rule.
Btw- ip's 456, 789 look funny:)
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
02-27-2015 11:57 AM
What you need is dynamic-policy nat and I assume your ASA interfaces are named as "inside" and "outside"
access−list policy−nat extended permit host 192.168.123.456 host 123.456.789.100
access−list policy−nat extended permit host 192.168.456.0 255.255.255.0 host 123.456.789.100
access-list crypto-acl1 extended permit ip host 1.2.3.4 host 123.456.789.100
Lets says this is a public address (1.2.3.4) on your side and other remote tunnel peer will accept traffic from your tunnel peer, when traffic is sent from this IP address 1.2.3.4
global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat
crypto map L2L_VPN 3 match address crypto-acl1
crypto map L2L_VPN 3 set peer 10.123.456.789
Hope this helps.
Thanks
02-27-2015 10:49 AM
Hi Plamen,
If i have understood correctly, your requirement is below:
Subnet 192.168.45.0/24 should be natted to 10.123.45.78 while it needs to go to 12.45.78.100?
Is that correct? If yes, then you need to do manual nat or twice nat and that should take care of the issue. All other traffic should continue to flow using the existing auto nat rule.
Btw- ip's 456, 789 look funny:)
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
02-27-2015 11:57 AM
What you need is dynamic-policy nat and I assume your ASA interfaces are named as "inside" and "outside"
access−list policy−nat extended permit host 192.168.123.456 host 123.456.789.100
access−list policy−nat extended permit host 192.168.456.0 255.255.255.0 host 123.456.789.100
access-list crypto-acl1 extended permit ip host 1.2.3.4 host 123.456.789.100
Lets says this is a public address (1.2.3.4) on your side and other remote tunnel peer will accept traffic from your tunnel peer, when traffic is sent from this IP address 1.2.3.4
global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat
crypto map L2L_VPN 3 match address crypto-acl1
crypto map L2L_VPN 3 set peer 10.123.456.789
Hope this helps.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide