cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1212
Views
0
Helpful
5
Replies

L2L-VPN with inbound NAT

battanc
Level 1
Level 1

Cisco ASA (site-A) with 2 L2L-VLNs (let's call to Site-B and Site-C)

I need to "inbound-nat" the network of Site-C.

Let me better explain:

- The site-B (10.14.63.0/24) only accepts traffic from the LAN of site-A (10.1.6.0 /24), and I can not change the VPN.

- Now I have connected the site-C to the Site-A, and this should also communicate with the site-B

- So I thought I have to nat the Network of Site-C  (10.168.3.0 /24) in order to present it with an IP of Site-A.

Possible?

And how do I configure the ASA in Site-A?

Thanks

Claudio

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

What is the software level on the Site A ASA?

- Jouni

View solution in original post

Hi,

So there is no ASA at the moment on Site A?

Well if we are to look at the NAT configuration needed for the connections from one L2L VPN connection to the other L2L VPN then it would probably look something like this

object network SITE-C

subnet 10.168.3.0 255.255.255.0

object network SITE-B

subnet 10.14.63.0 255.255.255.0

object network SITE-A-PAT

host 10.1.6.x

nat (outside,outside) source dynamic SITE-C SITE-A-PAT destination static SITE-B SITE-B

For the PAT IP address you should naturally choose an IP address that is not currently in use on any device and is reserved only for this purpose.

You would also need this command on Site A ASA

same-security-traffic permit intra-interface

The purpose of the above command is that the traffic can move from "outside" to "outside" which in this case would be the traffic going from one L2L VPN to the other L2L VPN.

You would also need to configure the Crypto ACL between Site A and Site C so that Site A has the Site B as source and Site C has Site B as destination so that the traffic is forwarded to Site A first.

In the ACL form it would be for example

access-list L2LVPN permit ip 10.168.3.0 255.255.255.0 10.14.63.0 255.255.255.0

You would naturally have to have the ACL statement for the Site A <-> Site C traffic too. The above is just the one needed to forward traffic from Site C to Site A.

Hope this helps

- Jouni

View solution in original post

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

What is the software level on the Site A ASA?

- Jouni

Uhmm,

Did you click the wrong button as I didnt answer anything yet 

- Jouni

It will be a brand new one (9.1.x).

Now there is a Zywall I want to replace

Hi,

So there is no ASA at the moment on Site A?

Well if we are to look at the NAT configuration needed for the connections from one L2L VPN connection to the other L2L VPN then it would probably look something like this

object network SITE-C

subnet 10.168.3.0 255.255.255.0

object network SITE-B

subnet 10.14.63.0 255.255.255.0

object network SITE-A-PAT

host 10.1.6.x

nat (outside,outside) source dynamic SITE-C SITE-A-PAT destination static SITE-B SITE-B

For the PAT IP address you should naturally choose an IP address that is not currently in use on any device and is reserved only for this purpose.

You would also need this command on Site A ASA

same-security-traffic permit intra-interface

The purpose of the above command is that the traffic can move from "outside" to "outside" which in this case would be the traffic going from one L2L VPN to the other L2L VPN.

You would also need to configure the Crypto ACL between Site A and Site C so that Site A has the Site B as source and Site C has Site B as destination so that the traffic is forwarded to Site A first.

In the ACL form it would be for example

access-list L2LVPN permit ip 10.168.3.0 255.255.255.0 10.14.63.0 255.255.255.0

You would naturally have to have the ACL statement for the Site A <-> Site C traffic too. The above is just the one needed to forward traffic from Site C to Site A.

Hope this helps

- Jouni

OK, thanks for the solution - it looks like a well working one .

Now I just have to convince the customer to throw away his trap and put in a serious firewall (an ASA, obviously)

Claudio