Cisco ASA Port Address Translation

dpatkins · ‎02-19-2014

All,

I have set up a Site to Site VPN tunnel. In this tunnel, the end users traffic of interest is already a subnet we use on our network, 192.168.20.0/24. What I would like to do is set up a PAT on our tunnel will be NATTED. Our appliance locally will point to our patted address of 10.10.10.10.

So it would be:

So any traffic being generated from our inside address of 10.20.10.10 and 10.20.10.11 going to 192.168.20.0/24 will actually route to 10.10.10.10 and the ASA will translate it to whatever the 192.168.20.0/24 address will be. And if traffic is coming into the ASA from 192.168.20.0/24, it will PAT is to 10.10.10.10 and route it to the 10.20.10.10 and 10.20.10.11. Basically, I do not want our side to see the 192.168.20.0/24 from the remote site and I do not want the remote site to see the 10.10.10.10 PATTED address.

Does this make sense?

Thanks

Dwane

Itzcoatl Espinosa · ‎02-19-2014

Hello,

As far as I understood you would like to configure source and destination nat, so hide the addresses of your internal and remote networks.

Here is a sample config I made for traffic for host 10.20.10.10, I hope it helps:

object network h_10.20.10.10

host 10.20.10.10

object network n_192.168.20.0

subnet 192.168.20.0 255.255.255.0

object network nat_10.10.10.10

host 10.10.10.10

object network source_nat_192.168.20.10

host 192.168.20.10

nat (inside,Outside) source static h_10.20.10.10 source_nat_192.168.20.10 destination static nat_10.10.10.10 n_192.168.20.0

Thanks

Itzcoatl

dpatkins · ‎02-19-2014

Itzcoati,

Will this PAT be bidirectional if configured this way?

Dwane

Itzcoatl Espinosa · ‎02-19-2014

Hello Dwane,

This is bidirectional. that is correct.

Thanks