Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4353
Views
5
Helpful
11
Replies

how to Configure Hide NAT on ASA firewall

Go to solution
shivaram840
Level 1
Level 1

‎07-14-2016 04:26 AM

Hi Friends, 

I am facing a big problem to establish a tunnel between two sites ,

My Office Network is 10.210.23.0/24

My Customer Network uses 10.0.0.0/8 , customer has proposed to make a tunnel between these two sites.

My Office firewall is ASA 5520 IOS 8.2

My customer Firewall is Checkpoint FW-1 (NGX) 6.1

if i make a tunnel between these two sites , here Network conflict occurs ,

my client is suggested to do Hide NAT on ASA ('client mail is Since we  also uses the 10.210.*.* network, can you please NAT your traffic behind an Hide NAT and provide us the IP.)

How to overcome this isse ? we need access from both ends ?

Thanks,

Shiva

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dina Odeh
Level 1
Level 1
In response to shivaram840

‎07-21-2016 09:38 AM

Yes you should give them the 192.168.33.0/24 subnet 

You will have two way communication. Issue will only seen if you have the 10.210.23.0/24 subnet on other side, and here issue will seen only with this subnet not all of them. 

View solution in original post

0 Helpful
11 Replies 11

Go to solution
shivaram840
Level 1
Level 1

‎07-14-2016 04:29 AM

please help me out friends
0 Helpful

Go to solution
Dina Odeh
Level 1
Level 1

‎07-15-2016 12:49 PM

Hi Shiva, 

First you need to NAT your internal network the 10.210.23.0/24 to another subnet only when it communicated with the remote network. 

I mean you can create a NAT statement on ASA that say, please NAT the 10.21.23.0/24 to 192.168.33.0/24 for example when it communicate with 10.0.0.0/8 

This can be done as follow: 

1- create an ACL on ASA : 

access-list vpn permit ip 10.210.23.0 255.25.255.0 10.0.0.0 255.0.0.0 

2- Add a policy static NAT: 

static ( in, out) 192.168.33.0 access-list vpn 

Go to solution
shivaram840
Level 1
Level 1
In response to Dina Odeh

‎09-21-2016 06:39 AM

Hi Dina,

Thanks for your reply.

successfully i have configured policy NAT.able to ping from both ends using NATed IPs

but client is facing some issues while accesing the servers with port.

for example Client is able to ping MY side IP ( 10.210.23.233 and NATted IP is 192.168.33.233) but when he was trying access the 192.168.33.233:7777 (10.210.23.233:7777). they are unable to access the network

we are getting some error while accessing like

"Portmap Translation Creation Failed'

please find the attachment, please help me about this one.

 

Preview file
89 KB
0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to shivaram840

‎09-21-2016 09:02 AM

The error messages come from ping packets to 10.4.56.10 and not related to TCP/7777 traffic. 10.4.56.10 seems to be routed incorrectly to internal zone.

0 Helpful

Go to solution
shivaram840
Level 1
Level 1
In response to Peter Koltl

‎09-21-2016 09:34 AM

Hi Peter,

Thanks for your reply .

we are able to ping both sides but we we are accessing using port (192.168.200.233:7777) 

we are facing issue , not able to connect.

0 Helpful

Go to solution
shivaram840
Level 1
Level 1

‎07-20-2016 02:21 AM

Hi Dina,

Thank you so much for your suggestion 

but on the remote side which network should i give to them ? 192.168.33.0/24 ?

 and we need two way communication ?

0 Helpful

Go to solution
Dina Odeh
Level 1
Level 1
In response to shivaram840

‎07-21-2016 09:38 AM

Yes you should give them the 192.168.33.0/24 subnet 

You will have two way communication. Issue will only seen if you have the 10.210.23.0/24 subnet on other side, and here issue will seen only with this subnet not all of them. 

0 Helpful

Go to solution
shivaram840
Level 1
Level 1
In response to Dina Odeh

‎07-26-2016 05:17 AM

Hi Dina, 

other side 10.210.23.0/24 network they are using. but when i give 192.168.33.0/24 network 

for exam if they wanted to hit 10.210.23.100 server in my premises, how they will access this server ?

using 192.168.33.0/24 network ?

 how firewall identifies the 10.210.23.100 if they hit 192.168.33.100 ?

we need to do static NAT for each server ?

Thanks,

Shiva 

0 Helpful

Go to solution
Dina Odeh
Level 1
Level 1
In response to shivaram840

‎07-26-2016 09:38 AM

Hi, 

No. As per config we agree on previously:

1- create an ACL on ASA : 

access-list vpn permit ip 10.210.23.0 255.25.255.0 10.0.0.0 255.0.0.0 

2- Add a policy static NAT: 

static ( in, out) 192.168.33.0 access-list vpn 

Server 10.210.23.100 will be accessed by IP 192.168.33.100 

Server 10.210.23.33 will be accessed by IP 192.168.33.33 

and so on.... 

0 Helpful

Go to solution
shivaram840
Level 1
Level 1
In response to Dina Odeh

‎08-10-2016 06:38 AM

Thank you so much dina,

but here i have a small query ,which is 

if i hit 192.168.33.100 to reach the server 10.210.23.100 ?

by default or shall i do one to one NAT (static nat )  

0 Helpful
Customers Also Viewed These Support Documents