I am setting up the configuration below and I am stuck on how the One to One static NATs are to be configured. Any help would be appreciated.
Thanks,
Ken
I am setting up a normal L2L VPN tunnel on ASA 5505 version 9.0. I would like to hide the inside subnet so it isn't seen to the remote side of the tunnel. I am having troubles with the config of that piece.
ie.
Local Inside 10.0.0.0/24
Local Outside 172.162.1.0/24
Remote Outside 172.163.1.0/24
Remote inside subnet 10.1.0.0/24
I want to hide 10.0.0.0 with 192.168.100.0/24, so when the remote side sees the local they see 192.168.100.X.
******************************
If you want the remote end to see your local network 10.0.0.0/24 with 192.168.100.0/24 instead, then you need to create a static nat for it.
First you need to created object networks and/or object groups.
network object obj-10.0.0.0-24
subnet 10.0.0.0 255.255.255.0
network object obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
network object obj-remote_inside_network
subnet 10.1.0.0 255.255.255.0
the nat rule should look like this on the ASA code you are running 9.0
nat (inside,outside) 1 source static obj-10.0.0.0-24 obj-192.168.100.0 destination static obj-remote_inside_network obj-remote_inside_network no-proxy-arp route-lookup
Please consider that on the interesting traffic you have to use the Nated subnets.
On your end the ACL on the crypto map should look like this:
access-list VPN_ACL permit ip object obj-192.168.100.0 object obj-remote_inside_network
and on the remote end it has to be the mirror:
access-list VPN_ACL permit ip object obj-remote_inside_network object obj-192.168.100.0
That way when they try to reach something on your inside network 10.0.0.0/24 they need to ping 192.168.100.0/24 instead.
The static nats will occur like this:
10.0.0.1 nated to 192.168.100.1
10.0.0.2 nated to 192.168.100.2
10.0.0.3 nated to 192.168.100.3
10.0.0.4 nated to 192.168.100.4
.
.
10.0.0.250 nated to 192.168.100.250