Avatar of snowdog_2112
snowdog_2112Flag for United States of America asked on

Cisco ASA 5505 8.4 vpn tunnel with NAT issue

I have a PIX 515 and an ASA 5505 (8.4 code).  The PIX is currently working with a tunnel to a 3rd party vendor. I need to replicate the function on the ASA (new ISP link).

The unusual bit in the PIX VPN config is the inside LAN is NAT'd to one of the PUBLIC IP's before it goes into the tunnel - i.e., traffic from my LAN comes out on the remote side as a single PUBLIC IP from my public IP space.

I'm not sure how to do the same in the ASA 8.4 code.

From the working PIX:
My internal network space is NAT'd to 66.x.y.119 by the "nat/global 2"

crypto map vpn_map 10 ipsec-isakmp
crypto map vpn_map 10 match address acl_east
crypto map vpn_map 10 set peer 63.y.y.214
crypto map vpn_map 10 set transform-set xform_set

access-list vendor_nat permit ip 192.168.0.0 255.255.252.0 199.x.x.0 255.255.255.0

access-list acl_east permit ip host 66.x.y.119 199.x.x.0 255.255.255.0


nat (inside) 2 access-list vendor_nat 0 0

global (outside) 2 66.x.y.119
CiscoVPN

Avatar of undefined
Last Comment
snowdog_2112

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
anoopkmr

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
snowdog_2112

Worked like a champ.  I had used the internal LAN subnet in the crypto ACL, instead of the NAT'd public IP.  I also change my "nat (inside,outside)" from static to dynamic:

NAT:
nat (inside,outside) source dynamic   Obj_Lan_1 0bj_66.x.y.119 destination Obj_199.x.x.0_1 Obj_199.x.x.0_1

for the ACL -
I had:
access-list vendor_vpn permit ip 1921.68.1.0 255.255.255.0 obj_199.x.x.0

Changed (added, actually - just in case)
access-list vendor_vpn permit ip object obj_66.x.x.119 object obj_199.x.x.0
access-list vendor_vpn permit ip 192.168.1.0 255.255.255.0 object obj_199.x.x.0

As soon as I added the line to the ACL, the tunnel lit up!
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck