Solved: David, you were right on the

besnik baftijari · ‎04-15-2016

I need help setting up a static nat between oursite and the vendor

oursite has a subnet 10.140.2.0/24 that the vendor is using it for something else. they requested that we nat the 10.140.2.0/24 to 10.240.2.0/24 over the VPN so they will see the 10.140 as 10.240 ? any help is appreciated. i believe the crypo map acl needs to be adjusted as well, we are running 8.2 version

LOCAL SITE ----ASA---VPN TUNEL---ASA--VENDOR SITE

thanks in advance

David Castro F. · ‎04-16-2016

Hello Bbftijari,

On this case, depending on the ASA version, but you will need to configure it, this way:

Pre-8.3

1. Create object groups to use them in the ACL,

object-group network LOCAL_SITE
network-object 10.140.2.0 255.255.255.0

object-group network Vendor_SITE
network-object XXXXXX XXXXXX

2. Create ACL, as the condition,

access-list VPN_NAT permit ip object-group LOCAL_SITE object group Vendor_SITE

3. Create Static NAT, call the ACL, so this says "When I come from inside to outside from LOCAL_SITE to Vendor_SITE, I will be translated to 10.240.2.0/24"

static (inside,outside) 10.240.2.0 access-list VPN_NAT netmask 255.255.255.0

--------------------------------------------------------------------------------------------------------------------------------

Post 8.3

1. Create the network objects, and create static entry:

object-group network LOCAL_SITE
network-object 10.140.2.0 255.255.255.0

object-group network NAT_SITE
network-object 10.240.2.0 255.255.255.0

object-group network Vendor_SITE
network-object XXXXXX XXXXXX

2. Creating Static NAT,

nat (inside,outside) 1 source static LOCAL_SITE NAT_SITE destination static Vendor_SITE Vendor_SITE no-proxy-arp route-lookup

Test and keep me posted,

Please proceed to rate and mark as correct this answer if this helped you,

David Castro,

View solution in original post

David Castro F. · ‎04-29-2016

hello Besnik,

Hey, the problem is that you still have a NAT 0 (Nat exemption) acl defined for this traffic, so you have to remove the acl line defined for:

10.140.0.0 255.255.0.0 -> 10.10.250.0 255.255.255.0

Once you remove it, in the NAT order of operation it will use the Policy NAT you just created as per my advise. Run the packet tracer twice at least.

Please post your config here, and proceed to rate and mark as correct all of the helpful posts!

Thanks,

David Castro,

View solution in original post

David Castro F. · ‎04-16-2016

Hello Bbftijari,

On this case, depending on the ASA version, but you will need to configure it, this way:

Pre-8.3

1. Create object groups to use them in the ACL,

object-group network LOCAL_SITE
network-object 10.140.2.0 255.255.255.0

object-group network Vendor_SITE
network-object XXXXXX XXXXXX

2. Create ACL, as the condition,

access-list VPN_NAT permit ip object-group LOCAL_SITE object group Vendor_SITE

3. Create Static NAT, call the ACL, so this says "When I come from inside to outside from LOCAL_SITE to Vendor_SITE, I will be translated to 10.240.2.0/24"

static (inside,outside) 10.240.2.0 access-list VPN_NAT netmask 255.255.255.0

--------------------------------------------------------------------------------------------------------------------------------

Post 8.3

1. Create the network objects, and create static entry:

object-group network LOCAL_SITE
network-object 10.140.2.0 255.255.255.0

object-group network NAT_SITE
network-object 10.240.2.0 255.255.255.0

object-group network Vendor_SITE
network-object XXXXXX XXXXXX

2. Creating Static NAT,

nat (inside,outside) 1 source static LOCAL_SITE NAT_SITE destination static Vendor_SITE Vendor_SITE no-proxy-arp route-lookup

Test and keep me posted,

Please proceed to rate and mark as correct this answer if this helped you,

David Castro,

besnik baftijari · ‎04-17-2016

thank you so much for your response , i will test this soon and will update you, i still have to provide the solution for the GRE on the other issue i had posted , just not enough time.

thanks David,

David Castro F. · ‎04-25-2016

Hello Besnik,

Were you able to implement this? can you please rate and mark as correct the previous post?

Thanks,

David Castro,

besnik baftijari · ‎04-26-2016

David, i have tried the solution you provided and i still cant reach the other end, this is the output im getting from packet tracer

static (inside,outside) 10.240.2.0 access-list 140to240

access-list 140to240 extended permit ip 10.140.2.0 255.255.255.0 10.10.250.0 255.255.255.0

packet-tracer input inside icmp 10.140.2.94 8 0 10.10.250.$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.250.0 255.255.255.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE-IN in interface inside
access-list INSIDE-IN extended permit icmp 10.140.0.0 255.255.0.0 10.10.250.0 255.255.255.0
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.140.0.0 255.255.0.0 outside 10.10.250.0 255.255.255.0
NAT exempt
translate_hits = 3990, untranslate_hits = 6
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 10.240.2.0 access-list 140to240
match ip inside 10.140.2.0 255.255.255.0 outside 10.10.250.0 255.255.255.0
static translation to 10.240.2.0
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 10.240.2.0 access-list 140to240
match ip inside 10.140.2.0 255.255.255.0 outside 10.10.250.0 255.255.255.0
static translation to 10.240.2.0
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

David Castro F. · ‎04-29-2016

hello Besnik,

Hey, the problem is that you still have a NAT 0 (Nat exemption) acl defined for this traffic, so you have to remove the acl line defined for:

10.140.0.0 255.255.0.0 -> 10.10.250.0 255.255.255.0

Once you remove it, in the NAT order of operation it will use the Policy NAT you just created as per my advise. Run the packet tracer twice at least.

Please post your config here, and proceed to rate and mark as correct all of the helpful posts!

Thanks,

David Castro,

besnik baftijari · ‎04-30-2016

David, you were right on the point, i forgot about that NO-NAT LINE i had in there from earlier config, your solution worked and saved the day, added to my knowledge base, thanks for your great work and help

best regard

David Castro F. · ‎05-01-2016

Besnik, It was a pleasure, could you please also rate the other posts? those also have info to have this fixed :)

David Castro,

Static NAT from 10.140.2.0 to 10.240.2.0 over VPN