01-12-2012 12:00 PM
Hi,
I am configuring S2S VPN, due to limitation we have to use static natting on 1 site. Please see the configuration. I think I am missing something.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
object-group network MAINSITE
network-object 10.0.0.0 255.0.0.0
object-group network LOCAL
network-object 192.168.1.0 255.255.255.0
access-list MAINSITE-I extended permit ip host 192.168.96.5 object-group MAINSITE
access-list MAINSITE-PolicyNAT extended permit ip object-group LOCAL object-group MAINSITE
access-list nonat extended permit ip host 192.168.96.5 10.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
Thanks.
Muhammad
01-12-2012 07:58 PM
I don't see your static NAT configuration, only your PAT configuration (minus the global statements - where are those?).
And describe more of what you're trying to do, please.
01-13-2012 12:36 PM
Hi
I am building Site to Site VPN. 1 Site will be using Single IP 192.168.96.5 for all vpn traffic for example SiteA(1.1.1.1) will be sending vpn traffic as 192.168.96.5/32.
I have to this statement
static (inside,outside) 192.168.96.5 access-list MAINSITE-PolicyNAT
but it's not accepting, giving error saying "global address overlaps with mask"
Thanks.
01-14-2012 08:00 PM
What firewall are you using for this VPN (model/version)?
If you're trying to NAT 1.1.1.0/24 network to 192.168.96.5, you'll need to remove your statements:
access-list nonat extended permit ip host 192.168.96.5 10.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat
"nat (inside) 0" negates your translations for the 'nonat' ACL.
If you're wanting to 'PAT' hosts from SiteA on the 1.1.1.0/24 network to 10.0.0.0/8 network (MAINSITE), with 192.168.96.5/32 as your source, then you'll need a statement like:
object-group network MAINSITE
network-object 10.0.0.0 255.0.0.0
object-group network SITE_A
network-object 1.1.1.0 255.255.255.0
access-list SITE_A_NAT extended permit ip object-group SITE_A object-group MAINSITE
nat (inside) 2 access-list SITE_A_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 2 192.168.96.5 netmask 255.255.255.255
or
global (outside) 2 interface
01-16-2012 12:30 PM
Thanks cflory. One more question . I am using ASA 5505.
If I am sitting on Main site and how can I access device which is on remote site 192.168.1.50 which is patted in vpn tunnel 192.168.96.5/32?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide