07-09-2017 08:11 AM
Hi, I need to setup a site to site VPN with an external vendor but the vendor has a local subnet that is overlapping with our network. We would not like to use additional subnets for mapping. I'm thinking about configuring PAT (use one of the interfaces of the ASA), it's ok if communication only gets initiated by the external partner.
How do I configure PAT in this scenario and the access lists?
Company A
subnet 172.16.10.0/25. Need access to subnets 172.16.5.0/24, 172.16.6.0/24 and 172.16.7.0/24 in company B's network
Company B (large network)
subnet 172.16.0.0/16
07-10-2017 02:22 AM
Hi Henry,
You can use the Dynamic PAT for this.
You need to create an Object group that would involve all the local subnets.
Post that you can use the following nat statement:
nat (inside,outside) source dynamic <object group name> <PAT IP> destination static <remote network> <remote network>
Please ensure you put in the PAT IP in the crypto ACL.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
07-10-2017 02:42 PM
When I test this with the packet tracer I see that packets get dropped by an access list. Are these access lists correct?
Company A:
object network Inside_RealA
subnet 172.16.10.0 255.255.255.0
object network Remote_subnet5
subnet 172.16.5.0 255.255.255.0
object network Remote_subnet6
subnet 172.16.6.0 255.255.255.0
object network Remote_subnet7
subnet 172.16.7.0 255.255.255.0
object-group network subnets5-6-7
network-object object subnet5
network-object object subnet6
network-object object subnet7
access-list outside_cryptomap etended permit ip object Inside_RealA object object-group subnets5-6-7
nat (inside,outside) after-auto source static Inside_RealA Inside_RealA destination static subnets5-6-7 subnets5-6-7
Comany B:
object network Outside_RealA
subnet 172.16.10.0 255.255.255.0
object network Inside_subnet5
subnet 172.16.5.0 255.255.255.0
object network Inside_subnet6
subnet 172.16.6.0 255.255.255.0
object network Inside_subnet7
subnet 172.16.7.0 255.255.255.0
object-group network subnets5-6-7
network-object object subnet5
network-object object subnet6
network-object object subnet7
access-list outside_cryptomap etended permit ip object-group subnets5-6-7 object Outside_RealA
nat (inside,outside) source dynamic subnets5-6-7 pat-pool Interface destination static Outside_RealA Outside_realA
07-10-2017 07:26 PM
Hi,
No the crypto
access-list outside_cryptomap extended permit
The reverse should be used at Company A.
Regards,
Aditya
07-11-2017 01:51 PM
Fro company B I added "access-list outside_cryptomap extended permit ip interface outside object Outside_RealA"
and for company A I added "access-list outside_cryptomap extended permit ip object Inside_RealA host ipaddressremotefirewall"
It still does not work. not sure what I'm missing.
07-11-2017 08:34 PM
Hi Henry,
Can you share a packet tracer result from one of the ASA's?
Regards,
Aditya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide