?
Solved

Natting Configuration Help for Cisco ASA Site to Site VPN Tunnel

Posted on 2014-10-09
1
Medium Priority
?
630 Views
Last Modified: 2014-12-05
Hi ,

I am configuring site to site vpn tunnel for a client to access my office printer. They have ask me to NAT my printer IP (10.x.x.x) to Public ip (100.x.x.x) . In configuration details they had also given a Public Natted remote network.  

How to nat the pubilc ip to private ip ? below are the details :

my printer ip  : 10.10.10.59
client remote network : 100.14.0.0 /16
and client is asking to nat the printer ip to 100.12.10.89


Sample Configuration :

name 8.xx.xxx.x Client_Peer


object-group network my_office
network-object 10.10.10.59 255.255.255.0

object-group network Client
network-object 100.10.0.0 255.255.0.0


access-list  ISP-1_1_cryptomap extended permit ip object-group my_office object-group Client
access-list  LAN-1_nat0_outbound extended permit ip object-group my_office object-group Client

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto map ISP-1_map 1 match address ISP-1_1_cryptomap
crypto map ISP-1_map 1 set peer 8.xx.xxx.x
crypto map ISP-1_map 1 set transform-set ESP-3DES-MD5
crypto map ISP-1_map 1 set security-association lifetime seconds 28800


tunnel-group 8.xx.xxx.x type ipsec-l2l
tunnel-group 8.xx.xxx.x ipsec-attributes
pre-shared-key abc@123

then route the peer ip , remote network.
0
Comment
Question by:Swaroop Katargunde
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 40396056
Add the following in your config

access-list PNAT_Printer permit ip host 10.10.10.59 object-group Client
static (inside,outside) 100.12.10.89 access-list PNAT_Printer
access-list  ISP-1_1_cryptomap extended permit ip host 100.12.10.89 object-group Client
access-list  line 1 LAN-1_nat0_outbound extended deny ip host 10.10.10.59 object-group Client

In addition, you have mentioned in your question that the Client network is 100.14.0.0/16 whereas it is 100.10.0.0/16 in your config
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This program is used to assist in finding and resolving common problems with wireless connections.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question