ccfcfc
asked on
Cisco ASA PIX Multiple NAT Statements
I have a host on which I have IIS running and it therefore needs to be publicly accessible on TCP80/443.
I now also need this host to be accessible over an IPSec VPN tunnel, also on TCP80/443.
The remote end requires me to source NAT my host and I therefore need the following.
1. Host A NATs to public IP x.x.x.x under normal circumstances.
2. Host A NATs to private IP y.y.y.y only when passing traffic over the IPSec tunnel.
How do I configure this ?
I originally had a static NAT statement mapping host A to y.y.y.y. If I try to add a second NAT statement using an ACL which specifies host A and the remote subnets I get an overlap error.
If I remove both statements and enter the NAT statement with the ACL first followed by the statement mapping host A to y.y.y.y I get the same error.
How can I configure it to NAT to different IP addresses based on different destinations ?
TIA
I now also need this host to be accessible over an IPSec VPN tunnel, also on TCP80/443.
The remote end requires me to source NAT my host and I therefore need the following.
1. Host A NATs to public IP x.x.x.x under normal circumstances.
2. Host A NATs to private IP y.y.y.y only when passing traffic over the IPSec tunnel.
How do I configure this ?
I originally had a static NAT statement mapping host A to y.y.y.y. If I try to add a second NAT statement using an ACL which specifies host A and the remote subnets I get an overlap error.
If I remove both statements and enter the NAT statement with the ACL first followed by the statement mapping host A to y.y.y.y I get the same error.
How can I configure it to NAT to different IP addresses based on different destinations ?
TIA
ASKER
The remote side has imposed a subnet on us.
We need to NAT to addresses within this subnet that they have provided us for traffic going over the IPSec tunnel to meet with their addressing requirements, so I don't have the option of not doing this.
There isn't any logging to show yet as when I try to enter the second NAT statement I get the error message about an overlap.
We need to NAT to addresses within this subnet that they have provided us for traffic going over the IPSec tunnel to meet with their addressing requirements, so I don't have the option of not doing this.
There isn't any logging to show yet as when I try to enter the second NAT statement I get the error message about an overlap.
You need to configure (nat exemption) an access-list and apply it to your NAT statement so that the IP addresses or subnets listed in the ACL are exempt from the NAT.
The configuration is different for 8.2 and earlier and 8.3 and later.
The configuration is different for 8.2 and earlier and 8.3 and later.
ASKER
NAT exemption is what I would normally be applying to traffic passing over an IPSec tunnel.
This isn't NAT exemption - the third party at the remote side is dictating the address that I need to NAT my side to. I cannot just NAT exempt it to use my private IP addresses - I have to NAT it to the addresses that I have been provided.
This isn't NAT exemption - the third party at the remote side is dictating the address that I need to NAT my side to. I cannot just NAT exempt it to use my private IP addresses - I have to NAT it to the addresses that I have been provided.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Why did you feel you needed to NAT the IPSec? As long as you enable Reverse routing, it will forward those packets out the same interface. The ACL you configure as required but what happens to the remote network with the NAT statement removed? Is the tunnel configured to pass that traffic across? Can you show any logs?