troubleshooting Question

Policy Nat - ASA - 8.2 to 9.8

Avatar of Matthew Galiano
Matthew GalianoFlag for United States of America asked on
iOSInternet Protocol SecurityCiscoVPN
8 Comments1 Solution901 ViewsLast Modified:
I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?

ASA Version 8.2(1)

access-list inside_nat2_outbound extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list inside_nat2_outbound extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list inside_nat10_outbound extended permit ip any any

global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *





ASA Version 9.8(1)

object network lan
 subnet 10.57.2.0 255.255.255.0
object network masked
 subnet 10.224.166.112 255.255.255.240
object network vendor-lan
 subnet x.x.x.x 255.255.252.0

access-list outside_4_cryptomap extended permit ip object lan object vendor-lan
access-list outside_4_cryptomap extended permit ip object masked object vendor-lan

nat (inside,outside) source static lan lan destination static vendor-lan vendor-lan
nat (inside,outside) source static masked masked destination static vendor-lan vendor-lan

object network masked
 nat (inside,outside) dynamic interface

crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer X.X.X.X
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 ikev1 pre-shared-key *
ASKER CERTIFIED SOLUTION
Matthew Galiano
CTO

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros