So I need any ideas on best way to achieve this, i can think of a few but don't know which will be best. here goes
I have a local network of 10.9.0.0/20 and need to create a bidirectional IPSec tunnel to a client site, they want me to present to them a 172.16.17.0/24 address over the IPSec, my thinking for ease is going to be to create the tunnel with the local and remote network above then create a dynamic NAT pool (many to many) that will translate any 10.9.0.0 address to a 172.16.17.0 address. is there any better way to do this ?
thanks in advance
If I understood your question correctly than my solution will be to create SVTI (ipsec virtual tunnel interface), configure it with "ip nat outside" and then translate 10.9.0.0/20 to the nat pool 172.16.17.0/24. It seems an easy task
so the issue is that i have to send the IP from site 1 to site 2 as 172.16.17.0/24 over the ipsec. i have no access to site 2 or any of it's equipment (it is at a client) from what i know i could do it using SVTI but wouldnt the other site (site 2) need a 172.16.17.0/25 address. the only thing they have set or can set is a remote network of 172.16.17.0/24
Here is example, which might help you but you need to make sure you have the matching subnet (for bidirectional - one to one mapping)
Configure the NAT. Source address range of 10.9.0.0 / 24 and destinations of remote subnet (example 10.10.0.0/24)
access-list 101 permit ip 10.9.0.0 0.0.0.255 10.10.0.0 0.0.0.255
Create a route-map called 'static-nat' and match traffic to ACL 101:
match ip address 101
Create a NAT-POOL for the public IP address (or range) you want to use to NAT to. In this case, Im NAT'ing to 172.16.17.0:
ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask 255.255.255.0
Create a NAT rule to use the route-map 'static-nat'. Upon a match to ACL 101, NAT that traffic to one of the NAT-POOL addresses:
ip nat inside source route-map static-nat pool NAT-POOL Overload
Once you have configured the NAT you need to modify the interesting traffic. You need your 'interesting traffic'
access-list 121 permit ip 172.16.17.0 0.0.0.255 10.10.0.0 0.0.0.255
Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map VPN 5 ipsec-isakmp
set peer <peer ip>
set transform-set <transform set>
match address 121
Apply the crypto map to the public interface and NAT on the public side:
ip nat outside
crypto map VPN
Configure the inside interface NAT on internal side:
ip address 10.9.0.0 255.255.255.0
ip nat inside
thanks for your reply when trying this on the ASA i get invalid input as below
ASA5510-02(config)# ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask /24
ERROR: % Invalid input detected at '^' marker.
Can you please tell which ASA software version you are using, as NAT configuration have different syntax on version 8.3 and below versions.
For doing one to one NAT, make sure your real subnet and NATTED subnet mask must be same..
You need to configure Manual NAT statement on your firewall.For example:
1. First create network objects, refer them in NAT statement.
Object network obj-10.9.0.0
subnet 10.9.0.0 255.255.255.0
Object network obj-172.16.17.0
subnet 172.16.17.0 255.255.255.0
Object network destination_network
subnet x.x.x.x x.x.x.x
nat(inside,outside) source static obj-10.9.0.0 obj-172.16.17.0 destination static destination_network destination_network
2. Now define the interesting traffic using the source as natted ip.
access-list new ext permit ip 172.16.17.0 255.255.255.0 x.x.x.x x.x.x.x
3. Refer this access-list in crypto map configured for the peer.
Please do rate useful posts
I provided the configuration, assuming it is a IOS Router. For ASA you need to have policy based NAT.
You can refer this thread for similar example: https://supportforums.cisco.com/discussion/11128851/policy-based-nat-asa-841