12-23-2014 01:57 PM - edited 02-21-2020 08:00 PM
So I need any ideas on best way to achieve this, i can think of a few but don't know which will be best. here goes
I have a local network of 10.9.0.0/20 and need to create a bidirectional IPSec tunnel to a client site, they want me to present to them a 172.16.17.0/24 address over the IPSec, my thinking for ease is going to be to create the tunnel with the local and remote network above then create a dynamic NAT pool (many to many) that will translate any 10.9.0.0 address to a 172.16.17.0 address. is there any better way to do this ?
thanks in advance
12-25-2014 07:15 AM
If I understood your question correctly than my solution will be to create SVTI (ipsec virtual tunnel interface), configure it with "ip nat outside" and then translate 10.9.0.0/20 to the nat pool 172.16.17.0/24. It seems an easy task
01-05-2015 01:23 PM
so the issue is that i have to send the IP from site 1 to site 2 as 172.16.17.0/24 over the ipsec. i have no access to site 2 or any of it's equipment (it is at a client) from what i know i could do it using SVTI but wouldnt the other site (site 2) need a 172.16.17.0/25 address. the only thing they have set or can set is a remote network of 172.16.17.0/24
01-05-2015 11:04 PM
Here is example, which might help you but you need to make sure you have the matching subnet (for bidirectional - one to one mapping)
Configure the NAT. Source address range of 10.9.0.0 / 24 and destinations of remote subnet (example 10.10.0.0/24)
access-list 101 permit ip 10.9.0.0 0.0.0.255 10.10.0.0 0.0.0.255
Create a route-map called 'static-nat' and match traffic to ACL 101:
route-map static-nat
match ip address 101
Create a NAT-POOL for the public IP address (or range) you want to use to NAT to. In this case, Im NAT'ing to 172.16.17.0:
ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask 255.255.255.0
Create a NAT rule to use the route-map 'static-nat'. Upon a match to ACL 101, NAT that traffic to one of the NAT-POOL addresses:
ip nat inside source route-map static-nat pool NAT-POOL Overload
Once you have configured the NAT you need to modify the interesting traffic. You need your 'interesting traffic'
access-list 121 permit ip 172.16.17.0 0.0.0.255 10.10.0.0 0.0.0.255
Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map VPN 5 ipsec-isakmp
set peer <peer ip>
set transform-set <transform set>
match address 121
Apply the crypto map to the public interface and NAT on the public side:
interface GigabitEthernet0/0
ip nat outside
crypto map VPN
Configure the inside interface NAT on internal side:
interface GigabitEthernet0/1
ip address 10.9.0.0 255.255.255.0
ip nat inside
HTH
01-06-2015 05:22 AM
thanks for your reply when trying this on the ASA i get invalid input as below
ASA5510-02(config)# ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask /24
^
ERROR: % Invalid input detected at '^' marker.
01-06-2015 06:36 AM
Can you please tell which ASA software version you are using, as NAT configuration have different syntax on version 8.3 and below versions.
01-06-2015 07:03 AM
it is 9.1.5
01-06-2015 07:52 AM
For doing one to one NAT, make sure your real subnet and NATTED subnet mask must be same..
You need to configure Manual NAT statement on your firewall.For example:
1. First create network objects, refer them in NAT statement.
Object network obj-10.9.0.0
subnet 10.9.0.0 255.255.255.0
Object network obj-172.16.17.0
subnet 172.16.17.0 255.255.255.0
Object network destination_network
subnet x.x.x.x x.x.x.x
nat(inside,outside) source static obj-10.9.0.0 obj-172.16.17.0 destination static destination_network destination_network
2. Now define the interesting traffic using the source as natted ip.
access-list new ext permit ip 172.16.17.0 255.255.255.0 x.x.x.x x.x.x.x
3. Refer this access-list in crypto map configured for the peer.
HTH
Please do rate useful posts
01-06-2015 07:39 AM
Hi,
I provided the configuration, assuming it is a IOS Router. For ASA you need to have policy based NAT.
You can refer this thread for similar example: https://supportforums.cisco.com/discussion/11128851/policy-based-nat-asa-841
Regards,
Abaji.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide