02-03-2014 02:54 AM
Cisco ASA (site-A) with 2 L2L-VLNs (let's call to Site-B and Site-C)
I need to "inbound-nat" the network of Site-C.
Let me better explain:
- The site-B (10.14.63.0/24) only accepts traffic from the LAN of site-A (10.1.6.0 /24), and I can not change the VPN.
- Now I have connected the site-C to the Site-A, and this should also communicate with the site-B
- So I thought I have to nat the Network of Site-C (10.168.3.0 /24) in order to present it with an IP of Site-A.
Possible?
And how do I configure the ASA in Site-A?
Thanks
Claudio
Solved! Go to Solution.
02-03-2014 03:06 AM
02-03-2014 03:19 AM
Hi,
So there is no ASA at the moment on Site A?
Well if we are to look at the NAT configuration needed for the connections from one L2L VPN connection to the other L2L VPN then it would probably look something like this
object network SITE-C
subnet 10.168.3.0 255.255.255.0
object network SITE-B
subnet 10.14.63.0 255.255.255.0
object network SITE-A-PAT
host 10.1.6.x
nat (outside,outside) source dynamic SITE-C SITE-A-PAT destination static SITE-B SITE-B
For the PAT IP address you should naturally choose an IP address that is not currently in use on any device and is reserved only for this purpose.
You would also need this command on Site A ASA
same-security-traffic permit intra-interface
The purpose of the above command is that the traffic can move from "outside" to "outside" which in this case would be the traffic going from one L2L VPN to the other L2L VPN.
You would also need to configure the Crypto ACL between Site A and Site C so that Site A has the Site B as source and Site C has Site B as destination so that the traffic is forwarded to Site A first.
In the ACL form it would be for example
access-list L2LVPN permit ip 10.168.3.0 255.255.255.0 10.14.63.0 255.255.255.0
You would naturally have to have the ACL statement for the Site A <-> Site C traffic too. The above is just the one needed to forward traffic from Site C to Site A.
Hope this helps
- Jouni
02-03-2014 03:06 AM
Hi,
What is the software level on the Site A ASA?
- Jouni
02-03-2014 03:09 AM
Uhmm,
Did you click the wrong button as I didnt answer anything yet
- Jouni
02-03-2014 03:10 AM
It will be a brand new one (9.1.x).
Now there is a Zywall I want to replace
02-03-2014 03:19 AM
Hi,
So there is no ASA at the moment on Site A?
Well if we are to look at the NAT configuration needed for the connections from one L2L VPN connection to the other L2L VPN then it would probably look something like this
object network SITE-C
subnet 10.168.3.0 255.255.255.0
object network SITE-B
subnet 10.14.63.0 255.255.255.0
object network SITE-A-PAT
host 10.1.6.x
nat (outside,outside) source dynamic SITE-C SITE-A-PAT destination static SITE-B SITE-B
For the PAT IP address you should naturally choose an IP address that is not currently in use on any device and is reserved only for this purpose.
You would also need this command on Site A ASA
same-security-traffic permit intra-interface
The purpose of the above command is that the traffic can move from "outside" to "outside" which in this case would be the traffic going from one L2L VPN to the other L2L VPN.
You would also need to configure the Crypto ACL between Site A and Site C so that Site A has the Site B as source and Site C has Site B as destination so that the traffic is forwarded to Site A first.
In the ACL form it would be for example
access-list L2LVPN permit ip 10.168.3.0 255.255.255.0 10.14.63.0 255.255.255.0
You would naturally have to have the ACL statement for the Site A <-> Site C traffic too. The above is just the one needed to forward traffic from Site C to Site A.
Hope this helps
- Jouni
02-03-2014 04:37 AM
OK, thanks for the solution - it looks like a well working one .
Now I just have to convince the customer to throw away his trap and put in a serious firewall (an ASA, obviously)
Claudio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide