09-19-2021 10:12 AM
Hi all,
Configure site to site between cisco asa and azure using route based vpn but now customer wants to source nat the subnet lie behind asa going for Azure end. I have checked but didnt found any document where i can source nat my traffic. Attaching my config here .
Cisco-ASA(config)#crypto ikev2 enable outside
Cisco-ASA(config)#crypto ikev2 policy 1
Cisco-ASA(config-ikev2-policy)#encryption aes-256
Cisco-ASA(config-ikev2-policy)#integrity sha
Cisco-ASA(config-ikev2-policy)#group 2
Cisco-ASA(config-ikev2-policy)#lifetime seconds 28800
Cisco-ASA(config)#crypto ipsec ikev2 ipsec-proposal SET1
Cisco-ASA(config-ipsec-proposal)#protocol esp encryption aes-256
Cisco-ASA(config-ipsec-proposal)#protocol esp integrity sha1
Cisco-ASA(config-ipsec-proposal) #crypto ipsec security-association lifetime seconds 3600
Cisco-ASA(config)#crypto ipsec profile PROFILE1
Cisco-ASA(config-ipsec-profile)#set ikev2 ipsec-proposal SET1
Cisco-ASA(config-ipsec-profile)#set security-association lifetime seconds 27000
Cisco-ASA(config-ipsec-profile)#set pfs group2
Cisco-ASA(config)#tunnel-group 13.71.28.xxx type ipsec-l2l
Cisco-ASA(config)#tunnel-group 13.71.28.xxx ipsec-attributes
Cisco-ASA(config-tunnel-ipsec)#ikev2 local-authentication pre-shared-key xxxxx
Cisco-ASA(config-tunnel-ipsec)#ikev2 remote-authentication pre-shared-key xxxxx
Cisco-ASA(config)#interface tunnel 100
Cisco-ASA(config)# no shut
Cisco-ASA(config-if)#nameif vti
Cisco-ASA(config-if)#ip address 169.254.0.1 255.255.255.252
Cisco-ASA(config-if)#tunnel source interface outside
Cisco-ASA(config-if)#tunnel destination 13.71.28.xxx
Cisco-ASA(config-if)#tunnel mode ipsec ipv4
Cisco-ASA(config-if)#tunnel protection ipsec profile PROFILE1
Cisco-ASA(config)#route vti 192.168.9.x 255.255.255.0 169.254.0.2
Basically i need to use below nat format but didnt know where to apply this in crypto rule
Cisco-ASA(config)#nat (inside,outside) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24.
Any can one help me here
09-20-2021 12:04 AM
Hi @sv7,
If I understood this correctly, and assuming that you already have working VPN, you need to apply NAT to your tunnel interface, something like:
Cisco-ASA(config)#nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24
BR,
Milos
09-20-2021 10:44 PM
Hi Milos,
Thank you for reply. I know the command but need assistance as where i should call this source nat
nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24. As here there's no crypto map command in my configuration as such where i can call this.
09-20-2021 11:56 PM
Hi @sv7,
VTI (tunnel interfaces) is part of route-based VPN, which is conceptually different from policy-based VPN (crypto maps). There is no crypto map involved and no need to invoke it anywhere. Tunnel interface is same interface as any other, and you only need to apply NAT statement, same like any other NAT statement on ASA (just take care of order of NAT rules, as, in general, you want your no-NAT rules to be on top of others).
Either way, NAT is not applied in crypto map, even with policy-based VPNs (there is a dependency between them, but not invoked anywhere specifically).
BR,
Milos
09-21-2021 05:26 AM
will the below nat statements works with my site to site route base vpn tunnel i posted.
nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24.
09-24-2021 01:23 AM
11-30-2022 05:07 AM
I dont believe you can use a VTI in a nat statement, rather you need to use a named physical interface or 'any'.
11-30-2022 09:17 PM
I don't know the reason why but I can confirm that to date you cannot use vti interfaces inside nat statements, as jamesmils suggested a workaround I've found which is working since many month now is to use twice nat with the keyword any, something like that;
nat (inside,any) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24
In short with this command you don't directly chose the destination interface, but specifing the destination network you get the same result.
Most probably this workaround doesn't cover all the possible nat cases, but should cover the most common, though.
09-23-2021 09:54 PM
any help please
09-28-2022 07:37 AM
Hi All
I have same situation. my customer wanted me to NAT my internal subnet to Mapped IP he provided. I am using IPSec Policy base. can someone look config sample below for NAT & Crypto ACL and verify that if config is correct.
object-group network source-inside
subnet 10.86.224.0 255.255.252.0
subnet 10.86.96.0 255.255.252.0
subnet 10.87.96.0 255.255.255.0
subnet 10.87.132.0 255.255.255.0
subnet 10.87.29.0 255.255.255.0
object-group network Mapped_IP
subnet 10.101.168.0 255.255.252.0
object-group network remote-IP
network-object host x.x.x.x (waiting dest ip from customer)
nat(inside,outside) source static source_inside Mapped_IP destination static remote-IP remote-IP
access-list outside_cryptomap_20 extended permit ip object-group Mapped_IP object-group remote-IP
09-28-2022 11:07 PM - edited 09-28-2022 11:08 PM
Hi @suneel.waqas,
I believe you need to modify your NAT/PAT rule:
nat(inside,outside) source static dynamic source_inside Mapped_IP destination static remote-IP remote-IP
You are mapping multiple /22 and /24 subnets to a single /22 subnet, so you must use dynamic for this.
Also, please make sure that you are routing remote-IP towards outside, if this is where your crypto map is applied.
BR,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide