06-29-2015 03:33 AM
Hello Cisco Community,
I was wondering if you could help me about the below issue, I have Cisco ASA 5505 which i use to setup for
my site-to-site tunnels, and we use private ip address for our encryption domains, recently our new partner informed
us they no longer use/accept private ip address for their vpn tunnels, so i tried to use port-forwarding creating a static NAT
partner Encryption domain = 72.x.x.x
my public address = 59.x.x.x
my encryption domains = 192.168.45.5/24
Partner -Encryption-domain----->mypublic-ipaddress-as port-forwarding---->> my encryption domains--Private Ipaddress
Tunnel status is up but my local network traffic going to the partners side is not happening--- partner traffic is visible in the logs.
Thanks for your all assistance.
Sorry my broken english,
Solved! Go to Solution.
07-07-2015 10:10 AM
It is best you have a dedicated public IP for this policy-static nat, instead of using same public IP address you have on the ASA's outside interface.
06-29-2015 12:17 PM
Hello Ahmed,
Who initiate the traffic, is it from your side of the tunnel or from your new-parter's side, or both party initiate the traffic?
what version of your ASA software running?
thanks
Rizwan Rafeek
07-06-2015 03:39 AM
Hi rzwanr74
Thanks for the reply, the new-partner is iniating the the traffic,
he is getting hit the ASA ( i can see from the logs), but the traffic is not going to the target devices.
Thanks
07-06-2015 05:33 AM
Hello Ahmed,
Check for the route (i.e. remote subnet route) is point in the right direction, that is route is pushed toward the ASA's gateway address and from you internal switches the route is pushed toward the ASA inside address.
if that didn't resolve the problem, post your whole config and tell me what is the tunnel in question that you are having issue with.
Happy Ramadan.
thanks
Rizwan Rafeek.
07-06-2015 05:39 AM
07-06-2015 07:33 AM
What software version you are running on your ASA ?
07-06-2015 09:25 PM
Rizwan,
My ASA version is 8.2
Thanks
07-07-2015 06:36 AM
Hello Ahmed,
What you need is a static-policy nat.
You need fill in the X value for the subnet mask and IP addresses in the example below.
access-list NET1 permit ip host 192.168.45.5 host 72.x.x.x
static (inside,outside) 59.x.x.x access-list NET1
You include your natted IP address: 59.x.x.x in the crypto ACL.
Let me know, if this helps.
Thanks
Rizwan Rafeek
07-07-2015 09:04 AM
Hello Rizwan,
What it will be my remote-local that my partner will configure as my domain encryptions, is it will be my ASA outside interface too, or another virtual public ip address
Thanks for the help.
Ramadan Kareem
07-07-2015 10:10 AM
It is best you have a dedicated public IP for this policy-static nat, instead of using same public IP address you have on the ASA's outside interface.
07-23-2015 04:50 AM
Hi Rizwan,
It worked, got the hint from policy static NAT.
Thank you.
08-04-2015 07:08 AM
Hello Rizwan,
Can i use another Static nat policy pointing to same target server
like
local-private-ip----> Remote-encryption domain ----- interface outside ---- public natted ip addresss
can i use the same static nat policy rule
local-private-ip----> second -Remote-encryption domain ----- interface outside ---- public natted second ip addresss
08-04-2015 08:55 AM
Hi Ahmed,
"Can i use another Static nat policy pointing to same target server"
You mean your remote destination or source address i.e. 192.168.45.5?
As long as below two red-highlighted IP-addreses do not change, you can use same acl (NET1) to change remote destination address. As you know two red-highlighted IP-addresses have one-to-one relation.
access-list NET1 permit ip host 192.168.45.5 host 72.x.x.x
static (inside,outside) 59.x.x.x access-list NET1
Hope that answers your question.
Thanks
Rizwan Rafeek
08-04-2015 09:13 AM
I just want to add more clarity to my answer below. You can keep adding an additional remote destinations as shown below.
access-list NET1 permit ip host 192.168.45.5 host 72.x.x.x
access-list NET1 permit ip host 192.168.45.5 host 102.x.x.x
access-list NET1 permit ip host 192.168.45.5 host 202.x.x.x
access-list NET1 permit ip host 192.168.45.5 host 22.x.x.x
access-list NET1 permit ip host 192.168.45.5 host 52.x.x.x
access-list NET1 permit ip host 192.168.45.5 host 62.x.x.x
08-04-2015 09:58 PM
Rizwan,
Thanks for the clarification , but what I mean is that ,
My local Webserver 192.168.45.5 will remain the same, but Our partner Encryption domains will be different i.e
Partner Location 1
Encryption domain 72.x.x.1
Partner Location 2
Encryption domain 72.x.x.2
MY Local Webserver 192.168.45.5
My point is that can i use two different static nat policies for the local webser as attached below
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: