Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7566
Views
3
Helpful
15
Replies

Site to Site VPN with NAT

sabinj
Level 1
Level 1

‎03-18-2010 01:22 PM

Scenario:

L2L VPN Tunnel to client’s remote networks.  I am required to NAT my private network to a publicly routable unique network.

Technical Information

Local network: 192.168.1.0

NAT to Network: 71.x.x.96 255.255.255.224 (Range provided by ISP)

Outside INT of ASA: 71.x.x.115

Remote Network: 10.10.10.0

Crypto ACL

access-list crypto extended permit ip 71.x.x.96 255.255.255.224 10.10.10.0 255.255.255.0

The tunnel comes up, but my internal hosts are unable to access the tunnel because I am not NAT’ing the inside to the NAT to addresses correctly.  Below is what I have tried. 

Use of Policy NAT

Access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0

Static (inside,outside) 71.x.x.0 access-list policy NAT

This doesn’t work as when I show xlate, I show the following over and over again. 

Global 71.x.x.0 Local 192.168.1.0.  It never translates the next host for example Global 71.x.x.97 Local 192.168.0.1.  Traffic does not pass through the tunnel to allow access to the host.

If anyone can please help I would greatly appreciate it.  I’ve also found another possibility but not exactly sure how to implement it.

http://www.experts-exchange.com/Networking/Security/IPSec/Q_22490812.html#discussion

Labels:
0 Helpful
15 Replies 15

sabinj
Level 1
Level 1
In response to Jennifer Halim

‎03-23-2010 10:41 AM

I figured it out.  It was a two part issue.

Part 1:  Client neglected to inform us that we are required to authenticate to their firewall prior to traffic being send to remote hosts.  This solved the connectivity problem.

Part 2:  NAT is being done with policy-nat in the following manor

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 object-group VPN

Global (outside) 1 10.10.10.96-10.10.10.127 netmask 255.255.255.224

Global (outside 1 interface

Since the tunnel terminates on my outside interface, and the network I am natting to is the same as the outside interface, I am able to use a combination of a global pool, and PAT for natting accross the tunnel.  works like a charm.  The only  draw back PAT is only used when the pool runs out of addresses, and each user that goes to the web get a natted address from the pool.  Actually I don't see the pool for internet access as a draw back as it gives me better information when monitoring what certain users are doing.

Thanks to all for the help on this issue.  I was quite challenging, and this is for a new client so I didn't want to start finger pointing without being 100% sure that my config was correct.  Worst part is I asked about the firewall authentication prior to even starting this project and of course I was assured that it was not required.  Then after 4 days of my time being wasted, they realized that it was required.

0 Helpful
Customers Also Viewed These Support Documents