Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
2
Replies

ASA 5505 vpn tunnel with NAT'd internal addresses

KEN COUSINO JR.
Level 1
Level 1

‎02-04-2016 12:35 PM

I am setting up a normal L2L VPN tunnel on ASA 5505 version 9.0.  I would like to hide the inside subnet so it isn't seen to the remote side of the tunnel.  I am having troubles with the config of that piece.

ie. 

Local Inside 10.0.0.0/24

Local Outside 172.162.1.0/24

Remote Outside 172.163.1.0/24

Remote inside subnet 10.1.0.0/24

I want to hide 10.0.0.0 with 192.168.100.0/24, so when the remote side sees the local they see 192.168.100.X.

Please help.

Ken

Labels:
0 Helpful
2 Replies 2

acalvonu
Level 1
Level 1

‎02-04-2016 01:32 PM

Hi Ken,

If you want the remote end to see your local network 10.0.0.0/24 with 192.168.100.0/24 instead, then you need to create a static nat for it.

First you need to created object networks and/or object groups.

network object obj-10.0.0.0-24
subnet 10.0.0.0 255.255.255.0

network object obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0

network object obj-remote_inside_network
subnet 10.1.0.0 255.255.255.0

the nat rule should look like this on the ASA code you are running 9.0

nat (inside,outside) 1 source static obj-10.0.0.0-24 obj-192.168.100.0 destination static obj-remote_inside_network obj-remote_inside_network no-proxy-arp route-lookup

Please consider that on the interesting traffic you have to use the Nated subnets.

On your end the ACL on the crypto map should look like this:

access-list VPN_ACL permit ip object obj-192.168.100.0 object obj-remote_inside_network

and on the remote end it has to be the mirror:

access-list VPN_ACL permit ip object obj-remote_inside_network object obj-192.168.100.0


That way when they try to reach something on your inside network 10.0.0.0/24 they need to ping 192.168.100.0/24 instead.

The static nats will occur like this:

10.0.0.1 nated to 192.168.100.1
10.0.0.2 nated to 192.168.100.2
10.0.0.3 nated to 192.168.100.3
10.0.0.4 nated to 192.168.100.4
.
.
10.0.0.250 nated to 192.168.100.250

and so on..


I hope this helps!

Regards,

acalvonu

0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to acalvonu

‎03-27-2017 09:27 AM

So this project was dropped shortly after starting and is now going again.  How would the static one for one NAT's need to be defined to match the answer above?

Thanks,

Ken

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents