Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
2
Replies

ASR1k 1 to 1 NAT before sending traffic into policy based tunnel to ASA

nathan_pease
Level 1
Level 1

‎01-22-2015 09:43 AM

I have an ASR1001 that is terminating a policy based based tunnel to an ASA. By policy based I mean there is no tunnel interface just crypto map configurations. I need to do a 1 for 1 NAT translation from one private IP to another private IP for about 30 servers behind the ASA. 

The ASR 1001 is not currently doing any NAT for any traffic and it does not need to do dynamic PAT to allow traffic to the internet since it only send traffic over tunnels and nothing ever needs to get routed to a public IP. 

I am assuming this will be some kind of NAT configuration that possibly involves a route-map and then maybe applied to the crypto map somehow, but I have not been able to find any good examples for what I am trying to do on the internet. 

Can anyone help me figure out how to do this config? 

Labels:
0 Helpful
2 Replies 2

nathan_pease
Level 1
Level 1

‎01-23-2015 11:48 AM

So I have finally got this working in a lab after much experimentation. Here is what my lab topology looks like

 

host 10.0.34.2 ---------R3--------policy based VPN tunnel-------R1-----host 1.1.1.1

 

I want host 10.0.34.2 to be able to ping 11.11.11.11 and have R3 translate that to 1.1.1.1 before sending it into the policy based tunnel. 

Here is the config that I came up with to make that work: 

R3
ip nat inside source static 1.1.1.1 11.11.11.11
ip nat outside source static 1.1.1.1 11.11.11.11
!

interface Loopback11
! Without this the router sends a host unreachable
 ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 10.0.34.1 255.255.255.0
 ip nat inside
 ...
!
!
interface GigabitEthernet1/0
 ip address 10.0.23.1 255.255.255.0
 ip nat outside
 crypto map PDX
 ...
!
ip access-list extended YYJ
 permit ip host 10.0.34.2 host 1.1.1.1
!
!
crypto map PDX 1 ipsec-isakmp
...
...
 match address YYJ
 reverse-route static

Does anyone have any thoughts on improving this config? 

0 Helpful

nathan_pease
Level 1
Level 1
In response to nathan_pease

‎01-27-2015 03:03 PM

I got this working in the lab on IOS, but I can't get it working in production using IOS-XE. 

Does anyone have any thoughts on this? 

0 Helpful
Customers Also Viewed These Support Documents