Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
3
Replies

nating inside traffic to a static IP for site-to-site tunnel

northtexasnetworks
Level 1
Level 1

‎06-02-2017 03:30 PM

Hello,

We have an ASA5506 running 9.6(1).  I have it configured for Remote VPN users to connect via AnyConnect.  I also have it configured to do a site-to-site VPN with a supplier.  Our inside LAN is 192.168.1.0/24

The supplier tells us they want all traffic on the site-to-site VPN tunnel to come from 192.168.95.1.

What commands do I need to NAT the tunnel traffic to the static IP but leave non-tunnel traffic alone?

I have attached a sanitized configuration.

All help is appreciated!

Thanks,

Mitchell

Labels:
Preview file
9 KB
0 Helpful
3 Replies 3

JP Miranda Z
Cisco Employee
Cisco Employee

‎06-02-2017 05:17 PM

Hi northtexasnetworks,

You can use the following nat:

object network NETWORK_OBJ_192.168.91.5
host 192.168.91.5

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.91.5 destination static NETWORK_OBJ_10.254.254.xx NETWORK_OBJ_10.254.254.xx no-proxy-arp route-lookup

access-list outside_cryptomap extended permit ip host 192.168.91.5 255.255.255.0 object NETWORK_OBJ_10.254.254.xx

After adding the nat you can run a packet tracer to make sure is following the right path:

packet-tracer input inside icmp 192.168.1.10 8 0 10.254.254.10 detail

Hope this info helps!!

Rate if helps you!! 

-JP- 

0 Helpful

northtexasnetworks
Level 1
Level 1
In response to JP Miranda Z

‎06-02-2017 09:45 PM

Hi JP,

Thank you for your quick response and your excellent advise.  All of my previous experience has been with version 7 of the ASA software and these new NAT statements are a bit of a learning curve.

I used the commands you suggested and when I entered: 

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.91.5 destination static NETWORK_OBJ_10.254.254.xx NETWORK_OBJ_10.254.254.xx no-proxy-arp route-lookup

The ASA returns the following:

ERROR: Option route-lookup is only allowed for static identity case.

If I leave off the route-lookup part it does not give an error.

Is there a better way to do it than leaving off route-lookup?

Thanks,

Mitchell

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to northtexasnetworks

‎06-02-2017 09:52 PM

Mitchell,

My bad, the router-lookup should not be used with this type of nat, thats why you get the error, let's try without the route-lookup and let me know how it goes.

Hope this info helps!!

Rate if helps you!! 

-JP- 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents