02-04-2016 12:35 PM
I am setting up a normal L2L VPN tunnel on ASA 5505 version 9.0. I would like to hide the inside subnet so it isn't seen to the remote side of the tunnel. I am having troubles with the config of that piece.
ie.
Local Inside 10.0.0.0/24
Local Outside 172.162.1.0/24
Remote Outside 172.163.1.0/24
Remote inside subnet 10.1.0.0/24
I want to hide 10.0.0.0 with 192.168.100.0/24, so when the remote side sees the local they see 192.168.100.X.
Please help.
Ken
02-04-2016 01:32 PM
Hi Ken,
If you want the remote end to see your local network 10.0.0.0/24 with 192.168.100.0/24 instead, then you need to create a static nat for it.
First you need to created object networks and/or object groups.
network object obj-10.0.0.0-24
subnet 10.0.0.0 255.255.255.0
network object obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
network object obj-remote_inside_network
subnet 10.1.0.0 255.255.255.0
the nat rule should look like this on the ASA code you are running 9.0
nat (inside,outside) 1 source static obj-10.0.0.0-24 obj-192.168.100.0 destination static obj-remote_inside_network obj-remote_inside_network no-proxy-arp route-lookup
Please consider that on the interesting traffic you have to use the Nated subnets.
On your end the ACL on the crypto map should look like this:
access-list VPN_ACL permit ip object obj-192.168.100.0 object obj-remote_inside_network
and on the remote end it has to be the mirror:
access-list VPN_ACL permit ip object obj-remote_inside_network object obj-192.168.100.0
That way when they try to reach something on your inside network 10.0.0.0/24 they need to ping 192.168.100.0/24 instead.
The static nats will occur like this:
10.0.0.1 nated to 192.168.100.1
10.0.0.2 nated to 192.168.100.2
10.0.0.3 nated to 192.168.100.3
10.0.0.4 nated to 192.168.100.4
.
.
10.0.0.250 nated to 192.168.100.250
and so on..
I hope this helps!
Regards,
acalvonu
03-27-2017 09:27 AM
So this project was dropped shortly after starting and is now going again. How would the static one for one NAT's need to be defined to match the answer above?
Thanks,
Ken
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: