Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2379
Views
0
Helpful
2
Replies

ASA VPN Bidirectional NAT

Go to solution
ty.masse
Level 1
Level 1

‎11-27-2012 12:50 PM

I have a VPN tunnel configured with this NAT scenario.

access-list l2lnat1 extended permit ip host 10.1.1.1 host 172.16.1.1

access-list l2lnat2 extended permit ip host 10.1.1.2 host 172.16.1.1

static(inside,outside) 192.168.1.1 access-list l2lnat1

static(inside,outside) 192.168.1.2 access-list l2lnat2

Will this NAT be bidirectional?  In other words if the remote 172 side try to bring up the tunnel, will it come up and nat to allow them to communicate or do I need to have the reverse source and destination in each access list in order for the Static to work in reverse.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ptrynisz
Level 1
Level 1

‎11-27-2012 01:23 PM

Hi Ty,

Assuming you run pre 8.3 OS version, then NAT configuration you showed is bidirectional as per

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1080960

According to what taffic brings the tunnel up depends on the crypto ACL configuration. In your case I believe you want to NAT 10.1.1.1 (10.1.1.2) to 192.168.1.1 (192.168.1.2) while communicating with 172.16.1.1 (172.16.1.2), thus crypto ACL should look like below, since encryption is done at last:

ACL_CRYPTO permit ip host 192.168.1.1 host 172.16.1.1

ACL_CRYPTO permit ip host 192.168.1.2 host 172.16.1.2

Accordigny the IPsec peer should have above ACL mirrored:

ACL_CRYPTO_PEER permit ip host 172.16.1.1 host 192.168.1.1

ACL_CRYPTO_PEER permit ip host 172.16.1.2 host 192.168.1.2

regards,

Pawel

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ptrynisz
Level 1
Level 1

‎11-27-2012 01:23 PM

Hi Ty,

Assuming you run pre 8.3 OS version, then NAT configuration you showed is bidirectional as per

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1080960

According to what taffic brings the tunnel up depends on the crypto ACL configuration. In your case I believe you want to NAT 10.1.1.1 (10.1.1.2) to 192.168.1.1 (192.168.1.2) while communicating with 172.16.1.1 (172.16.1.2), thus crypto ACL should look like below, since encryption is done at last:

ACL_CRYPTO permit ip host 192.168.1.1 host 172.16.1.1

ACL_CRYPTO permit ip host 192.168.1.2 host 172.16.1.2

Accordigny the IPsec peer should have above ACL mirrored:

ACL_CRYPTO_PEER permit ip host 172.16.1.1 host 192.168.1.1

ACL_CRYPTO_PEER permit ip host 172.16.1.2 host 192.168.1.2

regards,

Pawel

0 Helpful

Go to solution
ty.masse
Level 1
Level 1
In response to ptrynisz

‎11-28-2012 06:29 AM

Thank You.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents