I am trying to setup an L2L VPN with our client which is pretty straight forward. However, the requirements of the client require us to NAT our private subnet to a public subnet provided by our ISP. We have obtained 30 public IP's from our ISP with the first being assigned to our outside interface. What I need to be able to do is user PAT for internet traffic, and a Pool of the remaining IP's to NAT over the tunnel. At this point I have not configured any portion of the VPN and am hoping to find a document or someone with the expertise that can explain to perform this NAT.
I thank you in advance for any help which you can provide!
The doc below covers one approach to configuring this requirement. A few points to remember. When using hide NAT for the L2L tunnel, the crypto ACL will be configured using the post-NAT source IP address. Whether using policy NAT or NAT0, the NAT exemption ACL will be based on the original source IP.
Thanks for the quick reply this document is exactly what I was looking for!! However I do have one question...
On the static statement: static (inside,outside) 10.10.10.0 access-list policy-nat; I need to make sure I am clear. This is going to use the policy-nat access list and the range specified in the access-list, not the entrire subnet correct? I ask because my range and mask are 10.10.10.96 255.255.255.224 giving me 30 addresses.
Here is my config, please let me know if you see anything wrong.
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0 x.x.x.107 255.255.255.255
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0 x.x.x.11 255.255.255.255
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0 x.x.139.0 255.255.255.0
access-list policy-nat extended permit ip x.x.5.0 255.255.255.0 x.x.52.0 255.255.255.0
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.x.107 255.255.255.255
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.x.11 255.255.255.255
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.139.0 255.255.255.0
access-list new extended permit ip x.x.196.0 255.255.255.224 x.x.52.0 255.255.255.0
static (inside,outside) x.x.196.0 access-list policy-nat
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto map outsidedsl_map 20 match address spinco
crypto map outsidedsl_map 20 set peer x.x.x.140
crypto map outsidedsl_map 20 set transform-set esp-3des-sha
crypto map outsidedsl_map 20 set pfs group1
crypto map outsidedsl_map interface outsidedsl
isakmp identity address
isakmp enable outsidedsl
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption esp-3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp Policy 65535 authentication pre-share
isakmp Policy 65535 encryption 3des
isakmp Policy 65535 hash sha
isakmp Policy 65535 group 2
isakmp Policy 65535 lifetime 86400
tunnel-group x.x.x.140 type ipsec-l2l
tunnel-group x.x.x.140 ipsec-attributes
The NAT is messed up on this...
when I do a sho xlate I'm showing the following
Global 10.10.10.0 local 22.214.171.124
it is not mapping my workstation ip of 126.96.36.199 to 10.10.10.10
Does this mean that it is trying to send the my data over the tunnel with an ip of 10.10.10.0?
From what I'm seeing, that doesn't appear to be your entire config there. From what I see though, it looks like you've enabled static identity policy NAT with a 1-to-1 translation.
If you're seeing this in the xlate:
Global 10.10.10.0 local 188.8.131.52
... then the next logical xlate would be Global 10.10.10.1 local 184.108.40.206, Global 10.10.10.2 local 220.127.116.11, ...., Global 10.10.10.102 local 18.104.22.168, etc.
If you're wanting to ensure 22.214.171.124 is mapped to 10.10.10.10, then you should be able to add the following:
access-list policy-nat2 extended permit ip host 126.96.36.199 x.x.x.107 255.255.255.255 (duplicate this new ACL for the other remote networks)
static (inside,outside) 10.10.10.10 access-list policy-nat2
Never tried it, so I hope it works!