11-27-2012 12:50 PM
I have a VPN tunnel configured with this NAT scenario.
access-list l2lnat1 extended permit ip host 10.1.1.1 host 172.16.1.1
access-list l2lnat2 extended permit ip host 10.1.1.2 host 172.16.1.1
static(inside,outside) 192.168.1.1 access-list l2lnat1
static(inside,outside) 192.168.1.2 access-list l2lnat2
Will this NAT be bidirectional? In other words if the remote 172 side try to bring up the tunnel, will it come up and nat to allow them to communicate or do I need to have the reverse source and destination in each access list in order for the Static to work in reverse.
Thanks.
Solved! Go to Solution.
11-27-2012 01:23 PM
Hi Ty,
Assuming you run pre 8.3 OS version, then NAT configuration you showed is bidirectional as per
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1080960
According to what taffic brings the tunnel up depends on the crypto ACL configuration. In your case I believe you want to NAT 10.1.1.1 (10.1.1.2) to 192.168.1.1 (192.168.1.2) while communicating with 172.16.1.1 (172.16.1.2), thus crypto ACL should look like below, since encryption is done at last:
ACL_CRYPTO permit ip host 192.168.1.1 host 172.16.1.1
ACL_CRYPTO permit ip host 192.168.1.2 host 172.16.1.2
Accordigny the IPsec peer should have above ACL mirrored:
ACL_CRYPTO_PEER permit ip host 172.16.1.1 host 192.168.1.1
ACL_CRYPTO_PEER permit ip host 172.16.1.2 host 192.168.1.2
regards,
Pawel
11-27-2012 01:23 PM
Hi Ty,
Assuming you run pre 8.3 OS version, then NAT configuration you showed is bidirectional as per
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1080960
According to what taffic brings the tunnel up depends on the crypto ACL configuration. In your case I believe you want to NAT 10.1.1.1 (10.1.1.2) to 192.168.1.1 (192.168.1.2) while communicating with 172.16.1.1 (172.16.1.2), thus crypto ACL should look like below, since encryption is done at last:
ACL_CRYPTO permit ip host 192.168.1.1 host 172.16.1.1
ACL_CRYPTO permit ip host 192.168.1.2 host 172.16.1.2
Accordigny the IPsec peer should have above ACL mirrored:
ACL_CRYPTO_PEER permit ip host 172.16.1.1 host 192.168.1.1
ACL_CRYPTO_PEER permit ip host 172.16.1.2 host 192.168.1.2
regards,
Pawel
11-28-2012 06:29 AM
Thank You.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide