Natting Configuration Help for Cisco ASA Site to Site VPN Tunnel

Hi ,

I am configuring site to site vpn tunnel for a client to access my office printer. They have ask me to NAT my printer IP (10.x.x.x) to Public ip (100.x.x.x) . In configuration details they had also given a Public Natted remote network.  

How to nat the pubilc ip to private ip ? below are the details :

my printer ip  : 10.10.10.59
client remote network : 100.14.0.0 /16
and client is asking to nat the printer ip to 100.12.10.89


Sample Configuration :

name 8.xx.xxx.x Client_Peer


object-group network my_office
network-object 10.10.10.59 255.255.255.0

object-group network Client
network-object 100.10.0.0 255.255.0.0


access-list  ISP-1_1_cryptomap extended permit ip object-group my_office object-group Client
access-list  LAN-1_nat0_outbound extended permit ip object-group my_office object-group Client

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto map ISP-1_map 1 match address ISP-1_1_cryptomap
crypto map ISP-1_map 1 set peer 8.xx.xxx.x
crypto map ISP-1_map 1 set transform-set ESP-3DES-MD5
crypto map ISP-1_map 1 set security-association lifetime seconds 28800


tunnel-group 8.xx.xxx.x type ipsec-l2l
tunnel-group 8.xx.xxx.x ipsec-attributes
pre-shared-key abc@123

then route the peer ip , remote network.
Swaroop KatargundeSr. Executive - Network EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan Huseyin KayahanCommented:
Add the following in your config

access-list PNAT_Printer permit ip host 10.10.10.59 object-group Client
static (inside,outside) 100.12.10.89 access-list PNAT_Printer
access-list  ISP-1_1_cryptomap extended permit ip host 100.12.10.89 object-group Client
access-list  line 1 LAN-1_nat0_outbound extended deny ip host 10.10.10.59 object-group Client

In addition, you have mentioned in your question that the Client network is 100.14.0.0/16 whereas it is 100.10.0.0/16 in your config
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.