Solved

Natting Configuration Help for Cisco ASA Site to Site VPN Tunnel

Posted on 2014-10-09
1
604 Views
Last Modified: 2014-12-05
Hi ,

I am configuring site to site vpn tunnel for a client to access my office printer. They have ask me to NAT my printer IP (10.x.x.x) to Public ip (100.x.x.x) . In configuration details they had also given a Public Natted remote network.  

How to nat the pubilc ip to private ip ? below are the details :

my printer ip  : 10.10.10.59
client remote network : 100.14.0.0 /16
and client is asking to nat the printer ip to 100.12.10.89


Sample Configuration :

name 8.xx.xxx.x Client_Peer


object-group network my_office
network-object 10.10.10.59 255.255.255.0

object-group network Client
network-object 100.10.0.0 255.255.0.0


access-list  ISP-1_1_cryptomap extended permit ip object-group my_office object-group Client
access-list  LAN-1_nat0_outbound extended permit ip object-group my_office object-group Client

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto map ISP-1_map 1 match address ISP-1_1_cryptomap
crypto map ISP-1_map 1 set peer 8.xx.xxx.x
crypto map ISP-1_map 1 set transform-set ESP-3DES-MD5
crypto map ISP-1_map 1 set security-association lifetime seconds 28800


tunnel-group 8.xx.xxx.x type ipsec-l2l
tunnel-group 8.xx.xxx.x ipsec-attributes
pre-shared-key abc@123

then route the peer ip , remote network.
0
Comment
Question by:Swaroop Katargunde
1 Comment
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 40396056
Add the following in your config

access-list PNAT_Printer permit ip host 10.10.10.59 object-group Client
static (inside,outside) 100.12.10.89 access-list PNAT_Printer
access-list  ISP-1_1_cryptomap extended permit ip host 100.12.10.89 object-group Client
access-list  line 1 LAN-1_nat0_outbound extended deny ip host 10.10.10.59 object-group Client

In addition, you have mentioned in your question that the Client network is 100.14.0.0/16 whereas it is 100.10.0.0/16 in your config
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now