Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
1
Replies

site-to-site vpn NAT/PAT interesting traffic config question

Go to solution
Andrew Escher
Level 1
Level 1

‎12-19-2011 06:03 AM

I have an ASA running 8.4.2 code and am trying to verify Site to site configs before tunnel migrations. specifically if the NAT/PAT and ACL is correct. Phase 1 is already defined and working, as well as crypto maps and tunnel groups.

When defining the interesting traffic in the ACL do you use the NAT or the real IP? Is the order of the ACL correct?

First :

The vedor's network is a 192.168.1.10 and needs to be NATed to 10.1.0.2

name 5.6.7.8 VendorName

object-group network VendorName-R
 network-object host 192.168.1.10

object-group network VendorName-NAT-R
 network-object host 10.1.0.2

object-group network VendorName-L
 network-object host 10.1.1.3

access-list VendorName-crypto extended permit ip object-group
VendorName-L object-group VendorName-NAT-R
nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R
destination static VendorName-R VendorName-R

Second:

The vendors network is on 192.168.1.0 and 192.168.2.0, these need to be PATed to 10.1.0.2 and 10.1.0.3

192.168.1.20 and 168.1.21 need to be staticly NATed to 10.1.0.4 and 10.1.0.5

name 5.6.7.8 VendorName

object-group network VendorName-R-1

network-object subnet 192.168.1.0 255.255.255.0

object-group network VendorName-R-2

network-object subnet 192.168.2.0 255.255.255.0

object-group network VendorName-R-3

network-object host 192.168.1.20

object-group network VendorName-R-4

network-object host 192.168.1.21

object-group network VendorName-NAT-R-1

network-object host 10.1.0.2

object-group network VendorName-NAT-R-2

network-object host 10.1.0.3

object-group network VendorName-NAT-R-3

network-object host 10.1.0.4

object-group network VendorName-NAT-R-4

network-object host 10.1.0.5

object-group network VendorName-R

network-object object VendorName-NAT-R-1

network-object object VendorName-NAT-R-2

network-object object VendorName-NAT-R-3

network-object object VendorName-NAT-R-4

object-group network VendorName-L           

network-object host 10.1.1.3

network-object host 10.1.1.6

access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-R

nat (inside,outside) 1 source dynamic VendorName-L VendorName-NAT-R-1 destination static VendorName-R-1 VendorName-R-1

nat (inside,outside) 1 source dynamic VendorName-L VendorName-NAT-R-2 destination static VendorName-R-2 VendorName-R-2

nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R-3 destination static VendorName-R-3 VendorName-R-3

nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R-4 destination static VendorName-R-4 VendorName-R-4

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎12-19-2011 11:53 AM

Your interesting traffic acl MUST be the NAT IP address.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
andrew.prince
Level 10
Level 10

‎12-19-2011 11:53 AM

Your interesting traffic acl MUST be the NAT IP address.

0 Helpful
Customers Also Viewed These Support Documents