Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
5
Helpful
3
Replies

NAT over VPN Tunnel

Go to solution
Michael Murray
Level 2
Level 2

‎01-31-2011 06:54 PM

I have a question on how traffic gets match and in which order for a L2L tunnel. See the attached diagram. On the ASA5520 side I have configured the 192.168.12.0/24 subnet to NAT to 10.252.43.0/24 addresses as follows:

global (outside) 1 10.252.43.0 netmask 255.255.255.0

nat (inside) 1 192.168.12.0 255.255.255.0

Now I want to send traffic from the 192.168.12.0/24 subnet to the 10.10.26.0/24 subnet over the tunnel. Which addresses do I match on the ASA5520 side of the tunnel?

I'm not sure if it should be:

access-list to_pix525 extended permit ip 192.168.12.0 255.255.255.0 10.10.26.0 255.255.255.0

or

access-list to_pix525 extended permit ip 10.252.43.0 255.255.255.0 10.10.26.0 255.255.255.0

Thanks,

-mike

Labels:
Preview file
20 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ramds
Level 1
Level 1
In response to Michael Murray

‎02-01-2011 10:01 AM

Please change the nat0inside acl as follows:

access-list nat0inside extended permit ip 192.168.12.0 255.255.255.0 10.10.26.0 255.255.255.0

Everything else is fine.

--

Ramya

--please rate the solutions.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ramds
Level 1
Level 1

‎01-31-2011 07:33 PM

Hello Mike,

You need to use the second one, but you can initiate traffic from the 5520 side only.

If you want to initiate traffic from both sides, then configure a nat exemption for the VPN traffic and use the first acl.

-

Ramya

-- Please rate the solutions

Go to solution
Michael Murray
Level 2
Level 2
In response to ramds

‎02-01-2011 06:16 AM

Ramya,

Thanks for the reply. I want both sides to be able to initiate traffic. Would this be the correct [truncated] configuration?

global (outside) 1 10.252.43.0 netmask 255.255.255.0

nat (inside) 1 192.168.12.0 255.255.255.0


nat (inside) 0 access-list nat0inside


access-list nat0inside extended permit ip 10.252.43.0 255.255.255.0 10.10.26.0 255.255.255.0


access-list to_pix525 extended permit ip 192.168.12.0 255.255.255.0 10.10.26.0 255.255.255.0


crypto map VPN 1 match address to_pix525

crypto map VPN interface outside

-mike

0 Helpful

Go to solution
ramds
Level 1
Level 1
In response to Michael Murray

‎02-01-2011 10:01 AM

Please change the nat0inside acl as follows:

access-list nat0inside extended permit ip 192.168.12.0 255.255.255.0 10.10.26.0 255.255.255.0

Everything else is fine.

--

Ramya

--please rate the solutions.

0 Helpful
Customers Also Viewed These Support Documents