10-30-2012 03:43 PM
Here is my scenario:
Site A
Cisco 5505 8.3
Internal subnet 1.1.1.x/24
Main hub
Site B
Cisco 5505 8.2
Internal subnet 2.2.2.x/24
Remote office
Site C
Cisco 5505 8.0
Internal subnet 2.2.2.x/24
Remote office
I have a L2L tunnel between Site A and Site B that encompasses the entire subnets. I need to build a tunnel between Site A and Site C. I would prefer to encompass the entire subnet in the tunnel, but there are 5 servers on each side that HAVE to communicate. I can narrow that tunnel down to those servers if need be. Site B and Site C will never pass traffic between them.
I would like to NAT the traffic from Site C before it hits the tunnel. I have seen the documentation and that seems doable. Here is my problem. I read that in this scenario that traffic MUST initiate from Site C in order to work. This causes me great pain as most of the time the traffic will initiate from Site A.
I have full admin access to all three ASAs. I would like to do all of the NATing in this scenario on Site C if at all possible.
Thanks in advance,
10-30-2012 07:40 PM
Perfect, if you want to do the NATing on site C, then it's easy.
Here you go:
On site C:
access-list nat-to-A permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
static (inside,outside) 3.3.3.0 access-list nat-to-A
crypto ACL:
access-list cryptoACL permit ip 3.3.3.0 255.255.255.0 1.1.1.0.255.255.255.0
On site A:
crypto ACL:
access-list cryptoACL permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0
NAT exemption: as usual
Traffic can be initiated from site A or site C.
10-31-2012 11:26 AM
I'm not even building a tunnel with that config. See snips below:
Site C:
Policy NAT part
access-list PNAT4TULSA extended permit ip 10.1.0.0 255.255.255.0 10.217.87.0 255.255.255.0
where 10.1.0.0/24 is my internal subnet and 10.217.87.0/24 is my remote subnet
static (inside,outside) 10.221.17.0 access-list PNAT4TULSA
where 10.221.17.0/24 what I want to NAT to
Crypto map part
access-list VPN2TULSA extended permit ip 10.221.17.0 255.255.255.0 10.217.87.0 255.255.255.0
where 10.221.17.0/24 is the subnet I want to NAT to
crypto map outside_map 1 match address VPN2TULSA
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
NAT0 part
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.255.0 10.217.87.0 255.255.255.0
Site A: This one is 8.3 remember
object network FNB
subnet 10.221.17.0 255.255.255.0
object network TULSA
subnet 10.217.87.0 255.255.255.0
nat (inside,outside) source static TULSA TULSA destination static FNB FNB
access-list VPN2FNB extended permit ip 10.217.87.0 255.255.255.0 10.221.17.0 255.255.255.0
crypto map outside_map 8 match address VPN2FNB
crypto map outside_map 8 set peer xxx.xxx.xxx.xxx
crypto map outside_map 8 set ikev1 transform-set ESP-3DES-SHA
Both Sites have matching IKE policies and I have verified the PSK for both tunnel-group entries. I'm sure that there is one little thing that I am missing, I just need a nudge in the right direction.
10-31-2012 02:45 PM
When you have static policy NAT configured, the NAT 0 access-list needs to be removed as NAT 0 with access-list takes precedence over the static NAT, hence it is not even building the tunnel.
So at site C, pls remove the following:
NAT0 part
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.255.0 10.217.87.0 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: