Solved

Natting Configuration Help for Cisco ASA Site to Site VPN Tunnel

Posted on 2014-10-09
1
623 Views
Last Modified: 2014-12-05
Hi ,

I am configuring site to site vpn tunnel for a client to access my office printer. They have ask me to NAT my printer IP (10.x.x.x) to Public ip (100.x.x.x) . In configuration details they had also given a Public Natted remote network.  

How to nat the pubilc ip to private ip ? below are the details :

my printer ip  : 10.10.10.59
client remote network : 100.14.0.0 /16
and client is asking to nat the printer ip to 100.12.10.89


Sample Configuration :

name 8.xx.xxx.x Client_Peer


object-group network my_office
network-object 10.10.10.59 255.255.255.0

object-group network Client
network-object 100.10.0.0 255.255.0.0


access-list  ISP-1_1_cryptomap extended permit ip object-group my_office object-group Client
access-list  LAN-1_nat0_outbound extended permit ip object-group my_office object-group Client

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto map ISP-1_map 1 match address ISP-1_1_cryptomap
crypto map ISP-1_map 1 set peer 8.xx.xxx.x
crypto map ISP-1_map 1 set transform-set ESP-3DES-MD5
crypto map ISP-1_map 1 set security-association lifetime seconds 28800


tunnel-group 8.xx.xxx.x type ipsec-l2l
tunnel-group 8.xx.xxx.x ipsec-attributes
pre-shared-key abc@123

then route the peer ip , remote network.
0
Comment
Question by:Swaroop Katargunde
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 40396056
Add the following in your config

access-list PNAT_Printer permit ip host 10.10.10.59 object-group Client
static (inside,outside) 100.12.10.89 access-list PNAT_Printer
access-list  ISP-1_1_cryptomap extended permit ip host 100.12.10.89 object-group Client
access-list  line 1 LAN-1_nat0_outbound extended deny ip host 10.10.10.59 object-group Client

In addition, you have mentioned in your question that the Client network is 100.14.0.0/16 whereas it is 100.10.0.0/16 in your config
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question