ASA 5501 Site to Site configuration question

helpdesk · ‎01-06-2011

I'm using the ASDM 6.3 to configure a site to site VPN with an external vendor. I have done this in the past using our older 3005 concentrastor, but want to use the ASA for future VPN connections.

The vendor is requesting we NAT the (only) internal host they need access to with a public IP address. The question I have is this. Can I NAT the internal address using a public IP that is in the same subnet as the outside interface on the ASA? Let s say the external interface IP of the ASA is 55.51.157.236 and I need the traffic from my inside host (172.16.1.87) to be nated as 55.51.157.239.

What I did is create an object in the ADSM for the internal host (172.16.1.87). I then created an object for the public IP (55.51.157.239). In the properties of the public IP, I enabled NAT (Static) and selected the internal host as the translated address. I then chose that as my Local Network in the Site to Site Connection profile. I'm not sure if this is correct or if it needs to be reversed.

Jeff Jack

Jennifer Halim · ‎01-06-2011

Yes, definitely can, however you may want to specify that only traffic from 172.16.1.87 going towards the remote subnet/LAN to be NATed to 55.51.157.239. Otherwise, it will NAT all traffic from 172.16.1.87 towards everywhere to 55.51.157.239, unless if you don't mind this.

To configure 172.16.1.87 to be NATed to 55.51.157.239 only when it's trying to access the remote VPN subnet (assuming that the remote LAN is 10.10.10.0/24):

object network Remote_LAN
        subnet 10.10.10.0 255.255.255.0
object network Rev_360_NAT
        host 55.51.157.239
object network Rev_360_Server
        host 172.16.1.87
nat (inside,outside) 2 source static Rev_360_Server Rev_360_NAT destination static Remote_LAN Remote_LAN

And with the attached ASDM configuration for your reference.

You would also need to make sure that the crypto ACL is referring to the public ip address instead of the private ip address.

Hope that helps.