03-02-2012 01:41 PM - edited 02-21-2020 05:55 PM
I just stablished an IPsec VPN with one of our prividers, the VPN get's stablished but one of the IPs in my lan is in conflict with a device in my providers side. I'm trying to configure NAT to avoid the conflict but I'm clueless on the steps to do it.
This is part of my current configuration
object-group network customer_outside
network-object X.X.X.X 255.255.255.248
object-group network customer_inside
network-object 192.168.1.210 255.255.255.255
network-object 192.168.1.25 255.255.255.255 -> conflicting IP
network-object 192.168.1.38 255.255.255.255
access-list customer_acl extended permit ip object-group customer_outside object-group customer_inside
crypto ipsec transform-set customer_ts esp-3des esp-sha-hmac
crypto map customer 10 match address customer_acl
crypto map customer 10 set peer Y.Y.Y.Y
crypto map customer 10 set transform-set customer_ts
crypto map customer 10 set security-association lifetime seconds 3600
crypto map customer interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y ipsec-attributes
pre-shared-key *
Thanks for your help.
Solved! Go to Solution.
03-05-2012 04:57 PM
Hello Rafael,
You can do it with a policy nat:
access-list TEST permit ip host 192.168.1.25 X.X.X.X 255.255.255.248
static (inside,outside) 192.168.20.25 access-list TEST.
As nat goes first than the crypto for the VPN traffic, you will need to include in the Crypto ACL the traffic from the natted ip address ( in this case 192.168.20.25).
Regards,
Do rate all the helpful posts
Julio
Security Engineer
03-03-2012 07:26 PM
What is the version of the Asa, is it greater then 8.3 and could you nat the ip to a outside ip or do u have a ip that you would like to use.
Sent from Cisco Technical Support iPad App
03-04-2012 07:21 PM
The ASA version is 8.2(1) and I just want to NAT it to a private IP like 192.168.20.25, etc.
03-05-2012 04:57 PM
Hello Rafael,
You can do it with a policy nat:
access-list TEST permit ip host 192.168.1.25 X.X.X.X 255.255.255.248
static (inside,outside) 192.168.20.25 access-list TEST.
As nat goes first than the crypto for the VPN traffic, you will need to include in the Crypto ACL the traffic from the natted ip address ( in this case 192.168.20.25).
Regards,
Do rate all the helpful posts
Julio
Security Engineer
03-13-2012 08:33 AM
Julio:
Thanks for the help, the VPN is working now. Only one thing I have to add, at the beginning, it took me a while to make it work until I found there was a NAT exception rule that overrule the static command, once I removed the excpetion everything worked as I wanted.
Regards,
Rafael
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: