cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
6910
Views
0
Helpful
4
Replies
rechard_hk
Beginner

Please gives sample configure VPN site to site on ASA 5512-x v.9.1!

Dear All,

Could you gave sample configer ASA 5512-x v.9.1 for VPN site to Site, i use to configure on ASA 5510 V.8.2 but on ver 9.1 i never configure.

my is use that i dont know to how to configure nonat.

i saw some configration as in the attach file they just to show configure VPN but we did not see nonot on command.

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_site2site.html

Best Regards,

HK

4 REPLIES 4
Jouni Forss
Mentor

Hi,

The new configuration format for NAT0 / NAT Exemption / Identity NAT is the following

object network SOURCE-NETWORK

subnet

object network DESTINATION-NETWORK

subnet

nat (inside,outside) source static SOURCE-NETWORK SOURCE-NETWORK destination static DESTINATION-NETWORK DESTINATION-NETWORK

In the above

  • SOURCE-NETWORK contains the network on your side of the network
  • DESTINATION-NETWORK contains the network on the remote side of the L2L VPN
  • The NAT configuration presumes that you are using interfaces with the name of "inside" and "outside"
  • The reason you see 2 of each "object" in the NAT configuration is that there is no NAT performed for them. You would have option to do NAT for both source and destination but in this case we dont want that.


Depending how many source and destination networks we are talking about, this might need some modifying.

Hopefully this helps

- Jouni

Dear Jouni,

I have other problem that i want to allow outside to inside ( i mean that linke 3389, 443,5501,5502,3330) and my server is

192.168.10.1

access-list outside_acl extended permit tcp any host 192.168.10.1 eq 3389

object network RDP

host 192.168.10.1

object network RDP

nat (inside,outside) static interface service tcp 3389 3389

so command as above is wokring but i want to do server-groups ( 3389,443,5501,5502 and 3330 ) match with 192.168.10.1

Could you let me know the command short service groups?

Regards,

Just create differant object names using the same host ip address and add the nat to each of the object names

object network obj-192.168.10.1-5501

   host 192.168.10.1

   nat (inside,outside) static interface service tcp 5501 5501

object network obj-192.168.10.1-5502

   host 192.168.10.1

   nat (inside,outside) static interface service tcp 5502 5502

object network obj-192.168.10.1-3330

   host 192.168.10.1

   nat (inside,outside) static interface service tcp 3330 3330

Would you also need to add another NAT statement that does the opposite?

nat(outside,inside) source static DESTINATION-NETWORK DESTINATION-NETWORK destination static SOURCE-NETWORK SOURCE-NETWORK