cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
767
Views
0
Helpful
4
Replies

Ipsec VPN running but need to configure NAT

rweissonm
Level 1
Level 1

I just stablished an IPsec VPN with one of our prividers, the VPN get's stablished but one of the IPs in my lan is in conflict with a device in my providers side. I'm trying to configure NAT to avoid the conflict but I'm clueless on the steps to do it.

This is part of my current configuration

object-group network customer_outside

network-object X.X.X.X 255.255.255.248

object-group network customer_inside

network-object 192.168.1.210 255.255.255.255

network-object 192.168.1.25 255.255.255.255 -> conflicting IP

network-object 192.168.1.38 255.255.255.255

access-list customer_acl extended permit ip object-group customer_outside object-group customer_inside

crypto ipsec transform-set customer_ts esp-3des esp-sha-hmac

crypto map customer 10 match address customer_acl

crypto map customer 10 set peer Y.Y.Y.Y

crypto map customer 10 set transform-set customer_ts

crypto map customer 10 set security-association lifetime seconds 3600

crypto map customer interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group Y.Y.Y.Y type ipsec-l2l

tunnel-group Y.Y.Y.Y ipsec-attributes

pre-shared-key *

Thanks for your help.

1 Accepted Solution

Accepted Solutions

Hello Rafael,

You can do it with a policy nat:

access-list TEST permit ip host  192.168.1.25   X.X.X.X 255.255.255.248

static (inside,outside)  192.168.20.25 access-list TEST.

As nat goes first than the crypto for the VPN traffic, you will need to include in the Crypto ACL the traffic from the natted ip address ( in this case 192.168.20.25).

Regards,

Do rate all the helpful posts

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 Replies 4

cvoller.agmc
Level 1
Level 1

What is the version of the Asa, is it greater then 8.3 and could you nat the ip to a outside ip or do u have a ip that you would like to use.

Sent from Cisco Technical Support iPad App

The ASA version is 8.2(1) and I just want to NAT it to a private IP like 192.168.20.25, etc.

Hello Rafael,

You can do it with a policy nat:

access-list TEST permit ip host  192.168.1.25   X.X.X.X 255.255.255.248

static (inside,outside)  192.168.20.25 access-list TEST.

As nat goes first than the crypto for the VPN traffic, you will need to include in the Crypto ACL the traffic from the natted ip address ( in this case 192.168.20.25).

Regards,

Do rate all the helpful posts

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio:

Thanks for the help, the VPN is working now. Only one thing I have to add, at the beginning, it took me a while to make it work until I found there was a NAT exception rule that overrule the static command, once I removed the excpetion everything worked as I wanted.

Regards,

Rafael

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: