12-08-2015 07:36 PM - edited 03-05-2019 02:53 AM
Hi Everyone.
I have a project which requires a router from inside our ASA5510 firewall to initiate a VPN connection over the internet to a server. We have this at two DC's one which connects to a cisco 1941 router and then to the internet - our other DC has an ASA5510 that boarders the internet.
The Cisco 1941 connection works fine but I am unsure of the commands needed to get inside source NATing working on the ASA5510 (software version 8.2 (5)) at our second DC, can you please help?
Cisco 1941 config details working;
interface Vlan40
description BUSINESSINTERNET
ip address 101.101.101.100 255.255.255.248 ( = Public IP)
ip flow ingress
ip nat outside
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.252
ip nat inside
ip nat inside source static 1.1.1.2 101.101.101.101 ( = Public IP)
(1.1.1.2 = router initiating the VPN connection)
Cisco ASA5510 config details so far;
interface Ethernet0/3
nameif Internet
ip address 110.110.110.109 255.255.255.248
interface Ethernet0/2.8
vlan 8
nameif TNSoutside
ip address 2.2.2.1 255.255.255.252
static (TNSoutside,Internet) 110.110.110.110 2.2.2.2 netmask 255.255.255.255
( 110.110.110.110 = Public IP) (2.2.2.2 = router initiating the VPN connection)
I have been thinking I need something like this;
access-list TNSOutside_nat0_outbound extended permit ip 2.2.2.2 255.255.255.255 110.110.110.110 255.255.255.255
nat (TNSOutside) 1 access-list TNSOutside_nat0_outbound
12-09-2015 06:37 AM
Hello ,
Adding to Masoud comments, do have a look on the ASA Natting configuration example for more infromation and help.
Hope it Helps..
-GI
12-09-2015 06:44 AM
Hello,
This command is correct for static NAT. Static NAT is bi-directional so it works both ways.
static (TNSoutside,Internet) 110.110.110.110 2.2.2.2 netmask 255.255.255.255
The second command is used for policy NAT. It is usually used when you have two gateways and you want to share the load across two links. First, your config is not complete. Second, it may not work because it does not put entry into NAT table unless the session initiates from inside.
This an example for Policy NAT.
access-list P1 permit ip host 10.10.10.40 host 1.1.1.1
access-list P2 permit ip host 10.10.10.40 host 2.2.2.2
nat (inside) 10 access-list P2
global (outside) 10 100.100.100.1 (first gateway)
nat (inside) 20 access-list P2
global (outside) 20 200.200.200.1 (second gateway)
Hope it helps,
Masoud
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide