asked on

Cisco ASA 5505 8.4 vpn tunnel with NAT issue

I have a PIX 515 and an ASA 5505 (8.4 code). The PIX is currently working with a tunnel to a 3rd party vendor. I need to replicate the function on the ASA (new ISP link).

The unusual bit in the PIX VPN config is the inside LAN is NAT'd to one of the PUBLIC IP's before it goes into the tunnel - i.e., traffic from my LAN comes out on the remote side as a single PUBLIC IP from my public IP space.

I'm not sure how to do the same in the ASA 8.4 code.

From the working PIX:
My internal network space is NAT'd to 66.x.y.119 by the "nat/global 2"

crypto map vpn_map 10 ipsec-isakmp
crypto map vpn_map 10 match address acl_east
crypto map vpn_map 10 set peer 63.y.y.214
crypto map vpn_map 10 set transform-set xform_set

access-list vendor_nat permit ip 192.168.0.0 255.255.252.0 199.x.x.0 255.255.255.0

access-list acl_east permit ip host 66.x.y.119 199.x.x.0 255.255.255.0

nat (inside) 2 access-list vendor_nat 0 0

global (outside) 2 66.x.y.119

ASKER CERTIFIED SOLUTION

anoopkmr

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

snowdog_2112

ASKER

Worked like a champ. I had used the internal LAN subnet in the crypto ACL, instead of the NAT'd public IP. I also change my "nat (inside,outside)" from static to dynamic:

NAT:
nat (inside,outside) source dynamic Obj_Lan_1 0bj_66.x.y.119 destination Obj_199.x.x.0_1 Obj_199.x.x.0_1

for the ACL -
I had:
access-list vendor_vpn permit ip 1921.68.1.0 255.255.255.0 obj_199.x.x.0

Changed (added, actually - just in case)
access-list vendor_vpn permit ip object obj_66.x.x.119 object obj_199.x.x.0
access-list vendor_vpn permit ip 192.168.1.0 255.255.255.0 object obj_199.x.x.0

As soon as I added the line to the ACL, the tunnel lit up!