03-01-2011 09:46 AM
We're running 8.3(2) in the ASA5540. Users all over our enterprise connect to a business partner's application through the ASA/VPN. We have a class-b address space, and since the users are spread out all over the place, I have the entire class-b space as the local object in the ACL that allows traffic through the VPN tunnel.
The business partner has concerns that our entire address space is available to access the VPN tunnel. So I thought, to help aliviate their concerns, to PAT all of our connections outbound to a single IP address.
How is this done in 8.3(2)? We use ASDM to configure the 5540. For example, say our class-b is 159.12.0.0 and the PAT'd IP address will be 199.30.36.6.
Solved! Go to Solution.
03-01-2011 11:18 AM
You could try:
object group 159.12.0.0_VPN
network-object 159.12.0.0 255.255.0.0
object group 199.30.36.6_VPN_PAT
host 199.30.36.6
object group remote_location
network-object
nat (interface,interface) source dynamic 159.12.0.0_VPN 199.30.36.6_VPN_PAT destination static remote_location remote_location
I would give that a shot..You would twice NATting it.. (You would replace "interface","interface" with the actual interface names. You probably already knew that though).
03-02-2011 07:12 AM
Is (interface,interface) (outside,inside) or (inside,outside)?
(
If the traffic is coming from the inside interface to the outside then -- (inside,outside)
depends on where the traffic is coming from and going to..
03-02-2011 08:07 AM
Because it's twice nat..
So with twice nat you can NAT the source and destination traffic. Since we aren't NATting the destination we need to specify it to stay the same.
03-01-2011 11:18 AM
You could try:
object group 159.12.0.0_VPN
network-object 159.12.0.0 255.255.0.0
object group 199.30.36.6_VPN_PAT
host 199.30.36.6
object group remote_location
network-object
nat (interface,interface) source dynamic 159.12.0.0_VPN 199.30.36.6_VPN_PAT destination static remote_location remote_location
I would give that a shot..You would twice NATting it.. (You would replace "interface","interface" with the actual interface names. You probably already knew that though).
03-02-2011 07:03 AM
nat (interface,interface) source dynamic 159.12.0.0_VPN 199.30.36.6_VPN_PAT destination static remote_location remote_location
Is (interface,interface) (outside,inside) or (inside,outside)? Thanks
03-02-2011 07:12 AM
Is (interface,interface) (outside,inside) or (inside,outside)?
(
If the traffic is coming from the inside interface to the outside then -- (inside,outside)
depends on where the traffic is coming from and going to..
03-02-2011 07:58 AM
One last question if you please.
At the end of the command statement, you have: "...destination static remote_location remote_location"
Why is 'remote_location' down twice?
03-02-2011 08:07 AM
Because it's twice nat..
So with twice nat you can NAT the source and destination traffic. Since we aren't NATting the destination we need to specify it to stay the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide