Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
7
Replies

Source NAT Tanslation in ASA 7.x - Trouble configuring.

Go to solution
davebornack
Level 1
Level 1

‎02-24-2015 10:36 AM - edited ‎03-11-2019 10:33 PM

Hey guys..  having issues taking my current knowledge and applying it to an old ASA running 7.x.

 

Basically I want to perform the following:

- Any Traffic sourced from 192.168.1.0/24

- Destined for 10.100.90.0/24 (Over an established VPN Tunnel)

- Needs to be sourced from a specific address/ProxyID (1.2.3.4)

Translated destination is Original Address

 

How on earth do we do this in ASA 7.x?

 

Thanks much for any help

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
rizwanr74
Level 7
Level 7

‎02-24-2015 10:51 AM

Hi Deve,

 

It is easy as eating a piece of cake, no biggy.  All you need is a dynamic policy-nat.

 

access−list policy−nat extended permit ip 192.168.1.0 255.255.255.0 10.100.90.0 255.255.255.0

 


global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat

 

Now you incorporate IP: 1.2.3.4 into the vpn-tunnel.

 

Hope that helps.

Thanks

Rizwan Rafeek.
 

View solution in original post

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to davebornack

‎02-25-2015 02:47 PM

Hello Dave,

 

First copy this line.

access-list InfoHedge extended permit ip host 192.235.87.15 10.100.90.0 255.255.255.0 

 

Second remove this line.

no access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0

 

Let me know, if that helps.

Thanks

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
rizwanr74
Level 7
Level 7

‎02-24-2015 10:51 AM

Hi Deve,

 

It is easy as eating a piece of cake, no biggy.  All you need is a dynamic policy-nat.

 

access−list policy−nat extended permit ip 192.168.1.0 255.255.255.0 10.100.90.0 255.255.255.0

 


global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat

 

Now you incorporate IP: 1.2.3.4 into the vpn-tunnel.

 

Hope that helps.

Thanks

Rizwan Rafeek.
 

0 Helpful

Go to solution
davebornack
Level 1
Level 1
In response to rizwanr74

‎02-24-2015 10:57 AM

Awesome, I figured it was more difficult than that.  I had more config planned that this, but I already basically have this in what I drafted.

One more question..  I'm creating separate ACLs for interesting traffic for the VPN.  Those are being referenced in the Crypto and ISAKMP config.

The above is just the NAT, and won't have anything to do with the tunnel, correct?

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to davebornack

‎02-24-2015 11:28 AM

"The above is just the NAT, and won't have anything to do with the tunnel, correct?"

 

You use natted IP address: 1.2.3.4 in the crypto ACL and there is no need for nat-exemption for IP: 1.2.3.4.  On other end of the tunnel, they see as if traffic is initiated from this IP address: 1.2.3.4 and on the other end of the tunnel, they must include this IP address 1.2.3.4 for encryption domain.

 

Hope that answers your question.

 

thanks

 

 

 

0 Helpful

Go to solution
davebornack
Level 1
Level 1
In response to rizwanr74

‎02-24-2015 12:59 PM

I think so..   thanks again!  

0 Helpful

Go to solution
davebornack
Level 1
Level 1
In response to rizwanr74

‎02-25-2015 09:00 AM

Still can't get this working for some reason.  FOr the sake of getting this up quickly, I'll post the real config...  anything?

global (outsidesw1) 215 192.235.87.15

nat (insidesw1) 215 access-list policy-nat

access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0 

access-list policy-nat extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0

crypto ipsec transform-set InfoHedge esp-3des esp-none

crypto map L2L_VPN 3 match address InfoHedge
crypto map L2L_VPN 3 set pfs 
crypto map L2L_VPN 3 set peer 74.220.80.15 
crypto map L2L_VPN 3 set transform-set InfoHedge
crypto map L2L_VPN interface outsidesw1

isakmp identity address 
isakmp enable outsidesw1

isakmp policy 215 authentication pre-share
isakmp policy 215 encryption 3des
isakmp policy 215 hash sha
isakmp policy 215 group 2
isakmp policy 215 lifetime 86400

 

tunnel-group 74.220.80.15 type ipsec-l2l
tunnel-group 74.220.80.15 ipsec-attributes
 pre-shared-key ****

 

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to davebornack

‎02-25-2015 02:47 PM

Hello Dave,

 

First copy this line.

access-list InfoHedge extended permit ip host 192.235.87.15 10.100.90.0 255.255.255.0 

 

Second remove this line.

no access-list InfoHedge extended permit ip 172.16.212.0 255.255.255.0 10.100.90.0 255.255.255.0

 

Let me know, if that helps.

Thanks

 

 

0 Helpful

Go to solution
davebornack
Level 1
Level 1
In response to rizwanr74

‎02-25-2015 06:41 PM

Yes, that did it.

 

Thanks again!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card