01-22-2015 09:43 AM
I have an ASR1001 that is terminating a policy based based tunnel to an ASA. By policy based I mean there is no tunnel interface just crypto map configurations. I need to do a 1 for 1 NAT translation from one private IP to another private IP for about 30 servers behind the ASA.
The ASR 1001 is not currently doing any NAT for any traffic and it does not need to do dynamic PAT to allow traffic to the internet since it only send traffic over tunnels and nothing ever needs to get routed to a public IP.
I am assuming this will be some kind of NAT configuration that possibly involves a route-map and then maybe applied to the crypto map somehow, but I have not been able to find any good examples for what I am trying to do on the internet.
Can anyone help me figure out how to do this config?
01-23-2015 11:48 AM
So I have finally got this working in a lab after much experimentation. Here is what my lab topology looks like
host 10.0.34.2 ---------R3--------policy based VPN tunnel-------R1-----host 1.1.1.1
I want host 10.0.34.2 to be able to ping 11.11.11.11 and have R3 translate that to 1.1.1.1 before sending it into the policy based tunnel.
Here is the config that I came up with to make that work:
R3
ip nat inside source static 1.1.1.1 11.11.11.11
ip nat outside source static 1.1.1.1 11.11.11.11
!
!
interface Loopback11
! Without this the router sends a host unreachable
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
ip address 10.0.34.1 255.255.255.0
ip nat inside
...
!
!
interface GigabitEthernet1/0
ip address 10.0.23.1 255.255.255.0
ip nat outside
crypto map PDX
...
!
ip access-list extended YYJ
permit ip host 10.0.34.2 host 1.1.1.1
!
!
crypto map PDX 1 ipsec-isakmp
...
...
match address YYJ
reverse-route static
Does anyone have any thoughts on improving this config?
01-27-2015 03:03 PM
I got this working in the lab on IOS, but I can't get it working in production using IOS-XE.
Does anyone have any thoughts on this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide