02-09-2015 11:41 AM
I have been doing everything for NAT in 9.x and I did not do very much at all with NAT in 8.2 and earlier with this setup.
I have some local subnets:
172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24
that will need to access a remote subnet:
10.31.255.128/25
and the requirement is to NAT the following:
Many to Many NAT requirement.
172.30.1.0/24 NAT to 192.168.104.0/24
172.30.16.0/24 NAT to 192.168.105.0/24
172.30.3.0/24 NAT to 192.168.108.0/24
172.30.12.0/24 NAT to 192.168.106.0/24
172.30.7.0/24 NAT to 192.168.107.0/24
172.30.35.0/24 NAT to 192.168.103.0/24
when going to the 10.31.255.128/25 subnet.
Here is what I think I need and I am looking for confirmation and/or help.
*****Group Config ********************
object-group network LOCAL-NATed-NETWORKS
subnet 192.168.104.0 255.255.255.0
subnet 192.168.105.0 255.255.255.0
subnet 192.168.108.0 255.255.255.0
subnet 192.168.106.0 255.255.255.0
subnet 192.168.107.0 255.255.255.0
subnet 192.168.103.0 255.255.255.0
object-group network REMOTE-NETWORK
subnet 10.31.255.128 255.255.255.128
***ACL for crypto-map****
access-list REMOTE_cryptomap_72 extended permit ip object-group LOCAL-NATed-NETWORKS object-group REMOTE-NETWORK
**** NAT Config *******
nat (inside) 10 172.30.1.0 255.255.255.0
nat (inside) 20 172.30.16.0 255.255.255.0
nat (inside) 30 172.30.3.0 255.255.255.0
nat (inside) 40 172.30.12.0 255.255.255.0
nat (inside) 50 172.30.7.0 255.255.255.0
nat (inside) 60 172.30.35.0 255.255.255.0
global (outside) 10 192.168.104.0 255.255.255.0
global (outside) 20 192.168.105.0 255.255.255.0
global (outside) 30 192.168.108.0 255.255.255.0
global (outside) 40 192.168.106.0 255.255.255.0
global (outside) 50 192.168.107.0 255.255.255.0
global (outside) 60 192.168.103.0 255.255.255.0
*****This is setting up the transform-set that is called out in the Crypto map.*****
crypto ipsec ikev1 transform-set REMOTE-SET esp-3des esp-sha-hmac
****This configures the Crypto map.*****
crypto map outside_map 72 match address REMOTE_cryptomap_72
crypto map outside_map 72 set peer 5.5.5.4
crypto map outside_map 72 set ikev1 transform-set REMOTE-SET
crypto map outside_map 72 set reverse-route
*****Sets up IKE******
crypto ikev1 policy 72
hash sha
authentication pre-share
group 2
lifetime 28800
encryption 3des
*****Sets up the tunnel group (Connection Profile)*****
tunnel-group 5.5.5.4 type ipsec-l2l
tunnel-group 5.5.5.4 ipsec-attributes
ikev1 pre-shared-key **TBD*
Thanks,
Mike
Solved! Go to Solution.
02-09-2015 02:08 PM
With your existing global statements, my suggestion should fulfill the requirement. Here's some further info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html#wp1088419
02-09-2015 01:09 PM
Try this:
access-list NET1-104 extended permit ip 172.30.1.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NET16-105 extended permit ip 172.30.16.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NET3-108 extended permit ip 172.30.3.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NET12-106 extended permit ip 172.30.12.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NET7-107 extended permit ip 172.30.7.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NET35-103 extended permit ip 172.30.35.0 255.255.255.0 10.31.255.128 255.255.255.128
nat (inside) 10 access-list NET1-104
nat (inside) 20 access-list NET16-105
nat (inside) 30 access-list NET3-108
nat (inside) 40 access-list NET12-106
nat (inside) 50 access-list NET7-107
nat (inside) 60 access-list NET35-103
02-09-2015 01:26 PM
Thanks for the reply....
But I have this requirement.....
and the requirement is to NAT the following:
Many to Many NAT requirement.
172.30.1.0/24 NAT to 192.168.104.0/24
172.30.16.0/24 NAT to 192.168.105.0/24
172.30.3.0/24 NAT to 192.168.108.0/24
172.30.12.0/24 NAT to 192.168.106.0/24
172.30.7.0/24 NAT to 192.168.107.0/24
172.30.35.0/24 NAT to 192.168.103.0/24
when going to the 10.31.255.128/25 subnet.
So in other words when I am in the 172.30.1.0 subnet and need to access a server at 10.31.255.130 and I come across the tunnel my IP address needs to translated from the 172.30.1.0 subnet to the 192.168.104.0 subnet and they will route the 192.168.104.X address as needed.
Mike
02-09-2015 02:08 PM
With your existing global statements, my suggestion should fulfill the requirement. Here's some further info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html#wp1088419
02-10-2015 05:14 AM
Thanks, I read the document and don't I need this as part of the config?
global (outside) 10 192.168.104.0 255.255.255.0
global (outside) 20 192.168.105.0 255.255.255.0
global (outside) 30 192.168.108.0 255.255.255.0
global (outside) 40 192.168.106.0 255.255.255.0
global (outside) 50 192.168.107.0 255.255.255.0
global (outside) 60 192.168.103.0 255.255.255.0
Mike
02-10-2015 11:43 AM
Here were the requirements
Peer IP Address: 5.5.5.4
Local outside IP Address: 4.4.4.5 /29
IKEv1 setup
Phase 1
Hash Algorithm: SHA1
Authentication Method: Pre-Share Key KeyGoesHere
Group (DH): 2
Lifetime: 28800
Encryption: 3DES
Phase 2
Hash Algorithm: SHA1
Lifetime: 3600
Encryption: 3DES
PFS: No
Local Subnets:
172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24
Remote Subnet:
10.31.255.128/25
Many to Many NAT requirement.
172.30.1.0/24 NAT to 192.168.104.0/24
172.30.16.0/24 NAT to 192.168.105.0/24
172.30.3.0/24 NAT to 192.168.108.0/24
172.30.12.0/24 NAT to 192.168.106.0/24
172.30.7.0/24 NAT to 192.168.107.0/24
172.30.35.0/24 NAT to 192.168.103.0/24
**************************************************************************
Here is the final config I used and tested all good.
***ACL for NAT****
access-list NAT-REMOTE-11 extended permit ip 172.30.1.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-12 extended permit ip 172.30.16.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-13 extended permit ip 172.30.3.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-14 extended permit ip 172.30.12.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-15 extended permit ip 172.30.7.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-16 extended permit ip 172.30.35.0 255.255.255.0 10.31.255.128 255.255.255.128
***ACL for crypto-map****
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.104.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.105.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.108.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.106.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.107.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.103.0 255.255.255.0 10.31.255.128 255.255.255.128
**** NAT Config******
nat (inside) 11 access-list NAT-REMOTE-11
nat (inside) 12 access-list NAT-REMOTE-12
nat (inside) 13 access-list NAT-REMOTE-13
nat (inside) 14 access-list NAT-REMOTE-14
nat (inside) 15 access-list NAT-REMOTE-15
nat (inside) 16 access-list NAT-REMOTE-16
global (outside) 11 192.168.104.10-192.168.104.250 netmask 255.255.255.0
global (outside) 12 192.168.105.10-192.168.105.250 netmask 255.255.255.0
global (outside) 13 192.168.108.10-192.168.108.250 netmask 255.255.255.0
global (outside) 14 192.168.106.10-192.168.106.250 netmask 255.255.255.0
global (outside) 15 192.168.107.10-192.168.107.250 netmask 255.255.255.0
global (outside) 16 192.168.103.10-192.168.103.250 netmask 255.255.255.0
*****This is setting up the transfor-set that is called out in the Crypto map.*****
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
****This configures the Crypto map.*****
crypto map MAP-VPN 72 match address REMOTE-CRYPTOMAP-17
crypto map MAP-VPN 72 set peer 5.5.5.4
crypto map MAP-VPN 72 set transform-set ESP-3DES-SHA
crypto map MAP-VPN 72 set reverse-route
crypto map MAP-VPN interface outside
*****Sets up Phase 1******
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
*****Sets up the tunnel group (Connection Profile)*****
tunnel-group 5.5.5.4 type ipsec-l2l
tunnel-group 5.5.5.4 ipsec-attributes
pre-shared-key KeyGoesHere
Hope this helps others.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide