cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1507
Views
0
Helpful
7
Replies

Policy NAT problem over site2site/l2l tunnel

Sentia NOC
Level 1
Level 1

Hi everyone,

I have been working on a problem for a while but have yest to solve it.

plan.png

I have site A which need to access hosts on site B, this traffic need to go both ways.

I have a site2site  tunnel between site A and Site B that works fine the tunnel is established when i use packet tracer from 172.31.10.30 to 1.1.1.10, also i can ping 1.1.1.10 from the firewall

through the tunnel.

The problem is i have on the inside zone a router and behind that a host 172.21.11.30, and I need this range(172.21.11.0/24) to be able to reach 1.1.1.1 aswell.

Reading on forums I have seen other people use policy NAT to solve this problem, the policy NAT takes hosts behind the 172.21.11.0/24 range and NAT's it to

lets say 172.31.10.100 when you try to reach 1.1.1.10.

im running 8.4 and here is the NAT policy im trying to get to work:

3 objects

NETWORK_OBJ_172.21.11.0_24

NETWORK_OBJ_172.31.10.0_23

NETWORK_OBJ_1.1.1.10

Tried:

nat (inside,outside) source static NETWORK_OBJ_172.21.11.30 NETWORK_OBJ_172.31.10.100 destination static NETWORK_OBJ_1.1.1.10 NETWORK_OBJ_172.21.11.30

I see the packets entering the ASDM logger but It does not trigger the tunnel which is the first step to reaching 1.1.1.10,

so im not sure if the ASA sees the packet from 172.21.11.30 as 172.31.10.100 at all.

So packets from 172.21.11.0/24 should be translated to 172.21.11.30 so the firewall will send it over the tunnel to 1.1.1.10.

Any help would be appreciated

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

If 172.31.10.0 subnet is the outside interface, how to you terminate the VPN tunnel?

Is the diagram incorrect? should 172.31.10.0 be somewhere else as they are private subnet.

Which interface are you terminating the VPN on, and which interface is 172.31.10.0 belong to?

Do you need to NAT 172.21.11.0/24? or you can just add crypto ACL for that subnet on both end, and also create NAT exemption for it?

172.31.10.0 is a bit off on the drawing , it should be placed over the VPN tunnel , it is not on the outside its on the inside.

I terminate the tunnel 3.3.3.3 (me)to 2.2.2.2(customer) and the crypto map has 172.31.10.0/23 as local VPN net and 1.1.1.10 as remote VPN net/host i need to reach

The problem is the customer has many different tunnels so we cannot add 172.21.11.0/24 to the crypto map due to overlap, I therefore have to NAT my way out of it by saying translate 172.21.11.0/24 to 172.31.10.100 so the tunnel will come up and the packets sent to 1.1.1.10. 

The tunnel works fine and I can reach 1.1.1.10 from 172.31.10.0/23 net but i need to reach 1.1.1.10 from a host on 172.21.11.0/24 subnet which is also on the inside. 

I am teminating VPN on outside ip:3.3.3.3.

OK, got it now.

Let's try again with the NAT statement. Rizwanr74 is right, it should be dynamic, however, other parameters are also incorrect, so let me start again.

I assume that 172.31.10.100 is a spare unique IP in that subnet:

object network obj-172.31.10.100

   host 172.31.10.100

nat (inside,outside) source dynamic NETWORK_OBJ_172.21.11.0_24 obj-172.31.10.100 destination static NETWORK_OBJ_1.1.1.10 NETWORK_OBJ_1.1.1.10

The hightlighted keywords were the changes.

rizwanr74
Level 7
Level 7

Hi Jaynet,

Please change your "static" to "dynamic" as shown below.

nat (inside,outside) source dynamic NETWORK_OBJ_172.21.11.30 NETWORK_OBJ_172.31.10.100 destination static NETWORK_OBJ_1.1.1.10 NETWORK_OBJ_172.21.11.30

Let me know, if this helps.

thanks

Rizwan Rafeek

I had a Static instead of dynamic because I was using single hosts and not subnet's, but I changed it to subnet's but its still the same.

In my opinion the NAT statement is ok, I can see in the log that it translates 172.21.11.0/24 network to use 172.31.10.100 when trying to connect to 1.1.1.10, but whatever I do it will not trigger the site2site tunnel which is the problem. If i send packets from 172.31.10.0/23(without being translated from 172.11 net first) it will trigger the tunnel and send packets through and reach 1.1.1.10 fine.

It seems that the ASA will translate ok but not internally see my translated 172.21.11.30 (172.31.10.100) as a tunnel-triggering-ip.

So I have 2 things that work fine it seems, the translation from 172.21.11.0 net translated to 172.31.10.100 and the tunnel with 172.31.10.0/23 net that can reach 1.1.1.10 but somehow the connection between the 2 is not happening

Can you please post your current NAT statement, it needs to be something like this:

nat (inside,outside) source static NETWORK_OBJ_172.21.11.30  NETWORK_OBJ_172.31.10.100 destination static NETWORK_OBJ_1.1.1.10  NETWORK_OBJ_1.1.1.10

changed it to dynamic so now I have:

nat (inside,outside) source dynamic NETWORK_OBJ_172.21.11.0_24 obj-172.31.10.100 destination static NETWORK_OBJ_1.1.1.10 NETWORK_OBJ_1.1.1.10

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: