NAT policy to L2L tunnel

onenetspace · ‎03-14-2017

I ran into an issue with a post 8.3 IOS NATing and curious if anyone can shad some light.

The scenario is: a PC on the network need to access a device behind the tunnel (service provider). The tunnel source required to be a different IP from the global.

hosted device behind the tunnel: 44.44.44.44

IP used as the tunnel source: 22.22.22.22

Internal device IP: 192.168.1.1

To accomplish this with the Pre 8.3 IOS I did as follow and it works as planned:

object-group network HOSTED_DEVICE
network-object host 44.44.44.44

access-list outside_cryptomap extended permit ip host 22.22.22.22 object-group HOSTED_DEVICE log

access-list NAT extended permit ip host 192.168.1.1 host 44.44.44.44

static (inside,outside) 22.22.22.22 access-list NAT

I tried to do the following on the post 8.3 IOS but no luck:

object-group network HOSTED_DEVICE
network-object host 44.44.44.44

object-group network obj_22.22.22.22

access-list outside_cryptomap extended permit ip host 22.22.22.22 object-group HOSTED_DEVICE log

nat (inside,outside) source static obj_22.22.22.22 obj_22.22.22.22 destination static HOSTED_DEVICE HOSTED_DEVICE no-proxy-arp

does anyone know how to accomplish this?

Thanks

Karsten Iwen · ‎03-14-2017

You NAT-rule doesn't match the traffic from the internal device:

object network PC
 host 192.168.1.1
!
nat (inside,outside) source static PC obj_22.22.22.22 destination static HOSTED_DEVICE HOSTED_DEVICE no-proxy-arp