Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3647
Views
5
Helpful
3
Replies

Can I use the public peer address as a PAT or NAT address also?

Go to solution
jkeeffe
Level 2
Level 2

‎02-04-2010 07:07 AM

Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs?  The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)

I have four hosts that need to access a device at the remote location via an IPSec tunnel.  They are:

local hosts:

192.168.2.10, 11, 12, 13

Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52

remote host:

168.12.10.6

thanks for any help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-04-2010 08:30 AM 

jkeeffe wrote:
Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs?  The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)
I have four hosts that need to access a device at the remote location via an IPSec tunnel.  They are:
local hosts:
192.168.2.10, 11, 12, 13
Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52
remote host:
168.12.10.6
thanks for any help.

Yes you can do this.

object-group network localhosts

network-object host 192.168.2.10

network-object host 192.168.2.11

etc..

access-list VPN permit ip object-group localhosts host 168.12.10.6

nat (inside) 1 access-list VPN

global (outside) 1 interface

crypto-map access-list would then look like this -

access-list VPNTRAFFIC permit ip host 205.188.15.34  host 168.12.10.6

One thing to note. The NAT example above is policy NAT ie. if the source is 192.168.2.10 -> 13 and the destination is 168.12.10.6 then NAT the source to the public IP 205.188.15.34. However you may already have something like this in your config -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

ie. you are natting all your private addresses to the public interface address for general internet access. If you do have this then there is no need to do policy NAT and you could miss out these lines as the source addresses will be Natted anyway -

object-group network localhosts

network-object host 192.168.2.10

network-object host 192.168.2.11

etc..


access-list VPN permit ip object-group localhosts host 168.12.10.6


nat (inside) 1 access-list VPN

global (outside) 1 interface

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-04-2010 08:30 AM 

jkeeffe wrote:
Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs?  The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)
I have four hosts that need to access a device at the remote location via an IPSec tunnel.  They are:
local hosts:
192.168.2.10, 11, 12, 13
Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52
remote host:
168.12.10.6
thanks for any help.

Yes you can do this.

object-group network localhosts

network-object host 192.168.2.10

network-object host 192.168.2.11

etc..

access-list VPN permit ip object-group localhosts host 168.12.10.6

nat (inside) 1 access-list VPN

global (outside) 1 interface

crypto-map access-list would then look like this -

access-list VPNTRAFFIC permit ip host 205.188.15.34  host 168.12.10.6

One thing to note. The NAT example above is policy NAT ie. if the source is 192.168.2.10 -> 13 and the destination is 168.12.10.6 then NAT the source to the public IP 205.188.15.34. However you may already have something like this in your config -

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

ie. you are natting all your private addresses to the public interface address for general internet access. If you do have this then there is no need to do policy NAT and you could miss out these lines as the source addresses will be Natted anyway -

object-group network localhosts

network-object host 192.168.2.10

network-object host 192.168.2.11

etc..


access-list VPN permit ip object-group localhosts host 168.12.10.6


nat (inside) 1 access-list VPN

global (outside) 1 interface

Jon

0 Helpful

Go to solution
jkeeffe
Level 2
Level 2
In response to Jon Marshall

‎02-04-2010 09:06 AM

I have one other VPN connection through this ASA. Will your example plug right into what is already there?  Here is the other VPN config:

crypto isakmp identity address

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
exit

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
sysopt connection permit-ipsec


tunnel-group 218.151.3.111 type ipsec-l2l
tunnel-group 218.151.3.111 ipsec-attributes
pre-shared-key xxxxxxxxx

isakmp keepalive disable
exit


access-list IMAGE extended permit ip host 10.12.203.3 160.14.0.0 255.255.0.0


access-list NAT1 extended permit ip host 192.168.2.10 160.14.0.0 255.255.0.0
static (inside,outside) 10.12.203.3 access-list NAT1 0 0


crypto map outside1_map 20 match address IMAGE crypto map outside1_map 20 set peer 218.151.3.111
crypto map outside1_map 20 set transform-set ESP-3DES-MD5
crypto map outside1_map 20 set security-association lifetime seconds 3600

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to jkeeffe

‎02-04-2010 09:19 AM 

jkeeffe wrote:
I have one other VPN connection through this ASA. Will your example plug right into what is already there?  Here is the other VPN config:
crypto isakmp identity address
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 exit
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
sysopt connection permit-ipsec

tunnel-group 218.151.3.111 type ipsec-l2l
tunnel-group 218.151.3.111 ipsec-attributes
 pre-shared-key xxxxxxxxx
 isakmp keepalive disable
 exit

access-list IMAGE extended permit ip host 10.12.203.3 160.14.0.0 255.255.0.0

access-list NAT1 extended permit ip host 192.168.2.10 160.14.0.0 255.255.0.0
static (inside,outside) 10.12.203.3 access-list NAT1 0 0

crypto map outside1_map 20 match address IMAGE crypto map outside1_map 20 set peer 218.151.3.111
crypto map outside1_map 20 set transform-set ESP-3DES-MD5
crypto map outside1_map 20 set security-association lifetime seconds 3600

The 2 should not conflict with each other as each has a separate crypto map access-list so you should be okay.

Jon

Customers Also Viewed These Support Documents