We help IT Professionals succeed at work.
Get Started

Policy Nat - ASA - 8.2 to 9.8

896 Views
Last Modified: 2017-12-02
I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?

ASA Version 8.2(1)

access-list inside_nat2_outbound extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list inside_nat2_outbound extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list inside_nat10_outbound extended permit ip any any

global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *





ASA Version 9.8(1)

object network lan
 subnet 10.57.2.0 255.255.255.0
object network masked
 subnet 10.224.166.112 255.255.255.240
object network vendor-lan
 subnet x.x.x.x 255.255.252.0

access-list outside_4_cryptomap extended permit ip object lan object vendor-lan
access-list outside_4_cryptomap extended permit ip object masked object vendor-lan

nat (inside,outside) source static lan lan destination static vendor-lan vendor-lan
nat (inside,outside) source static masked masked destination static vendor-lan vendor-lan

object network masked
 nat (inside,outside) dynamic interface

crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer X.X.X.X
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 ikev1 pre-shared-key *
Comment
Watch Question
This problem has been solved!
Unlock 1 Answer and 8 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE