Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
2
Replies

VPN IPsec with NAT

Go to solution
battanc
Level 1
Level 1

‎03-28-2013 04:10 AM - edited ‎02-21-2020 06:47 PM

ASA5510, 8.0.x

I need to set up a Site-to-Site (L2L) VPN with a remote location.

The IT consultant of the remote asks me NOT to go out with my real (pulbic) IP address, but translating to a single IP address.

On my side, I have a /24 network, at the remote site I must reach only 4 IP's.

The VPN is one way only: I need to reach their Servers, but not vice versa.

I tried to follow the document ID-99122 (http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml), but it seams not work with a static NAT of a /24 translated on a single IP address.

I tried to ask them, to allow me to NAT to a /24, but they do not agree.

Any solution?

Regards,

Claudio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-28-2013 04:21 AM

Hi,

If I understood you correctly, you want to translate your /24 network to a single Dynamic PAT IP address when contacting the remote site only through the L2L VPN.

For that you could try to use Dynamic Policy PAT

access-list L2LVPN-POLICYNAT remark Define Traffic for The Dynamic Policy PAT for L2L VPN

access-list L2LVPN-POLICYNAT permit ip 10.10.10.0 255.255.255.0 host 1.1.1.1

access-list L2LVPN-POLICYNAT permit ip 10.10.10.0 255.255.255.0 host 1.1.1.2

access-list L2LVPN-POLICYNAT permit ip 10.10.10.0 255.255.255.0 host 1.1.1.3

access-list L2LVPN-POLICYNAT permit ip 10.10.10.0 255.255.255.0 host 1.1.1.4

global (outside) 200

nat (inside) 200 access-list L2LVPN-POLICYNAT

Also naturally your L2L VPN Crypto Map ACL should look like this

access-list L2LVPN-CRYPTOMAP remark Define Encryption Domain for L2L VPN connection

access-list L2LVPN-CRYPTOMAP permit ip host host 1.1.1.1

access-list L2LVPN-CRYPTOMAP permit ip host host 1.1.1.2

access-list L2LVPN-CRYPTOMAP permit ip host host 1.1.1.3

access-list L2LVPN-CRYPTOMAP permit ip host host 1.1.1.4

crypto map match address L2LVPN-CRYPTOMAP

Where

  • 10.10.10.0/24 = Is your souce LAN network
  • 1.1.1.1 - 4 = Are the remote ends 4 hosts you need to contact through the L2L VPN
  • PAT IP = Is the IP address assigned to you by the remote end to be used with the L2L VPN

Hope this helps

EDIT: Copy/Paste strikes again. I had both of the ACL identically named. Corrected that.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-28-2013 04:21 AM

Hi,

If I understood you correctly, you want to translate your /24 network to a single Dynamic PAT IP address when contacting the remote site only through the L2L VPN.

For that you could try to use Dynamic Policy PAT

access-list L2LVPN-POLICYNAT remark Define Traffic for The Dynamic Policy PAT for L2L VPN

access-list L2LVPN-POLICYNAT permit ip 10.10.10.0 255.255.255.0 host 1.1.1.1

access-list L2LVPN-POLICYNAT permit ip 10.10.10.0 255.255.255.0 host 1.1.1.2

access-list L2LVPN-POLICYNAT permit ip 10.10.10.0 255.255.255.0 host 1.1.1.3

access-list L2LVPN-POLICYNAT permit ip 10.10.10.0 255.255.255.0 host 1.1.1.4

global (outside) 200

nat (inside) 200 access-list L2LVPN-POLICYNAT

Also naturally your L2L VPN Crypto Map ACL should look like this

access-list L2LVPN-CRYPTOMAP remark Define Encryption Domain for L2L VPN connection

access-list L2LVPN-CRYPTOMAP permit ip host host 1.1.1.1

access-list L2LVPN-CRYPTOMAP permit ip host host 1.1.1.2

access-list L2LVPN-CRYPTOMAP permit ip host host 1.1.1.3

access-list L2LVPN-CRYPTOMAP permit ip host host 1.1.1.4

crypto map match address L2LVPN-CRYPTOMAP

Where

  • 10.10.10.0/24 = Is your souce LAN network
  • 1.1.1.1 - 4 = Are the remote ends 4 hosts you need to contact through the L2L VPN
  • PAT IP = Is the IP address assigned to you by the remote end to be used with the L2L VPN

Hope this helps

EDIT: Copy/Paste strikes again. I had both of the ACL identically named. Corrected that.

- Jouni

0 Helpful

Go to solution
battanc
Level 1
Level 1
In response to Jouni Forss

‎03-28-2013 08:28 AM

Very helpful

Solved, Thanks a lot

Claudio

0 Helpful
Customers Also Viewed These Support Documents