Cisco ASA 5505 8.4 vpn tunnel with NAT issue

I have a PIX 515 and an ASA 5505 (8.4 code).  The PIX is currently working with a tunnel to a 3rd party vendor. I need to replicate the function on the ASA (new ISP link).

The unusual bit in the PIX VPN config is the inside LAN is NAT'd to one of the PUBLIC IP's before it goes into the tunnel - i.e., traffic from my LAN comes out on the remote side as a single PUBLIC IP from my public IP space.

I'm not sure how to do the same in the ASA 8.4 code.

From the working PIX:
My internal network space is NAT'd to 66.x.y.119 by the "nat/global 2"

crypto map vpn_map 10 ipsec-isakmp
crypto map vpn_map 10 match address acl_east
crypto map vpn_map 10 set peer 63.y.y.214
crypto map vpn_map 10 set transform-set xform_set

access-list vendor_nat permit ip 192.168.0.0 255.255.252.0 199.x.x.0 255.255.255.0

access-list acl_east permit ip host 66.x.y.119 199.x.x.0 255.255.255.0


nat (inside) 2 access-list vendor_nat 0 0

global (outside) 2 66.x.y.119
snowdog_2112Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

anoopkmrCommented:
Please try like this in ASA 8.4

object network Obj_199.x.x.0_1
subnet 199.x.x.0 255.255.255.0

object network  0bj_66.x.y.119
host 66.x.y.119

object network Obj_Lan_1
subnet 192.168.0.0 255.255.252.0

nat (inside,outside) source dynamic   Obj_Lan_1 0bj_66.x.y.119 destination Obj_199.x.x.0_1 Obj_199.x.x.0_1


Optional : if required  Static  Nat then  use the below command

nat (inside,outside) source static   Obj_Lan_1 0bj_66.x.y.119 destination Obj_199.x.x.0_1 Obj_199.x.x.0_1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
snowdog_2112Author Commented:
Worked like a champ.  I had used the internal LAN subnet in the crypto ACL, instead of the NAT'd public IP.  I also change my "nat (inside,outside)" from static to dynamic:

NAT:
nat (inside,outside) source dynamic   Obj_Lan_1 0bj_66.x.y.119 destination Obj_199.x.x.0_1 Obj_199.x.x.0_1

for the ACL -
I had:
access-list vendor_vpn permit ip 1921.68.1.0 255.255.255.0 obj_199.x.x.0

Changed (added, actually - just in case)
access-list vendor_vpn permit ip object obj_66.x.x.119 object obj_199.x.x.0
access-list vendor_vpn permit ip 192.168.1.0 255.255.255.0 object obj_199.x.x.0

As soon as I added the line to the ACL, the tunnel lit up!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.