Re: Problem with destinatin NAT on Haripin flow config

Hi
       I need to translate the destination IP for the traffic which is
coming to inside interface and then its getting into the tunnel
which is on the same (inside) interface.

Are you really sending traffic into the inside interface of your firewall
and then trying to make it exit the same interface --*YES*
(the tunnal is in the same interface)

  ( Other flows (from dmz to inside) are going normally through the tunnel,
So i dont face any issue on this site-site tunnel)

interface access-list
------------------------------

access-list inbound line 1 extended permit ip host 10.0.0.10 host
192.168.1.10 (hitcnt=28)
access-group inbound in interface inside
 VPN
--------
crypto map IESPC 1 match address ipsec-traffic
crypto map IESPC 1 set pfs
crypto map IESPC 1 set peer x.x.x.x
crypto map IESPC 1 set transform-set IPSEC-3DES-MD5
crypto map IESPC 1 set security-association lifetime seconds 28800
crypto map IESPC 1 set security-association lifetime kilobytes 4608000
crypto map IESPC interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set IPSEC-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

 access-list ipsec-traffic line 1 extended permit ip host 10.0.0.10 host
172.18.20.10 (hitcnt=0) (not able to see the hitcount cos, the NATing is
not happening )

 same-security-traffic permit intra-interface

 for tesing purpose i have used the below line and everything works fine and
I can able to see the traffic on the other end. But *my requirement is the
desitnation IP (192.168.1.10 ) needs to change as 172.18.20.10 when enters
into the tunnel.*

access-list ipsec-traffic line 1 extended permit ip host 10.0.0.10 host
192.168.1.10 (hitcnt=8)

All I have to know is how to translate the destination IP which is going to
route through the tunnel which is on the same interface.?

Thanks & Regards
Sathish...

On Mon, May 25, 2009 at 11:19 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Hi,
>
> Are you trying to overcome an overlap address problem? Are you really
> sending traffic into the inside interface of your firewall and then trying
> to make it exit the same interface or is it coming in on one tunnel and you
> want it to leave out another tunnel? Can you describe your site-to-site
> traffic in a little better detail, including interesting traffic on both
> sides of the tunnel?
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sathishkumar
> Sent: Monday, May 25, 2009 12:12 PM
> To: Cisco certification; Cisco certification;
> smorris_at_internetworkexpert.com; meer.asim_at_gmail.com; amsoares_at_netcabo.pt;
> mgazzaz_at_hotmail.com; adiqtanko_at_gmail.com; timcurci_at_roadrunner.com;
> cciebase_at_gmail.com; ccie.weaver_at_gmail.com; lhadrava_at_ipexpert.com;
> ravi29635_at_gmail.com
> Subject: Problem with destinatin NAT on Haripin flow config
>
> Hi Experts,
>
> I am facing a problem in configuring destination static NAT when
> configuring hairpin flow on the ASA firewall.
> src: 10.0.0.10 dest : 192.168.1.10 ( NAT IP :172.16.10.10)
>
> When traffic enters the inside interface which needs to be exit the same
> interface where the traffic gets into the VPN tunnel.
> Hence I have configured the global configuration command to enable hairpin
> flow.
>
> *same-security-traffic permit intra-interface*
>
> I think after arriving the trafic, it enters to the tunnel so we don't
> require any NAT to allow the incoming traffic and also I don't require
> source NAT, need only destination NAT.
>
> I have tried by putting the below statement, but it seems this static
> (inside,inside) works for the source NAT but it didn't work for the
> destination NAT. Pls help me, Any idea would really appreciate...
>
> static (inside,inside) 172.18.20.10 192.168.1.10 netmask
> 255.255.255.255 ( not working)
> static (inside,inside) 192.168.1.10 172.18.20.10 netmask
> 255.255.255.255 ( not working)
>
>
> Thanks & Regards
> *Sathish...*
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue May 26 2009 - 00:08:53 ART