I need to build tunnel with Cisco ASA.
Seems vendor's interesting subnet 10.2.2.x is part of our LAN.
If i config on PA vendor interesting subnet as destination 192.168.1.x and translate to 10.2.2.x in PA is this right way?
Solved! Go to Solution.
Not sure if I am getting your question correctly, but it seems you are asking how to configure the proxy IDs for the IPsec tunnel, right?
Usually you have couple of ways to achieve this. Lets first define the setup with some example addresses:
Site A - behind Palo Alto FW
LAN - 10.3.3.0/24
Site B - behind ASA FW
LAN - 10.2.2.0/24 (192.168.1.0/24 for NAT)
So you have to options, depending on where do you want for the NAT to happen:
- Perform the NAT on the Palo Alto. That way you will need to define Proxy IDs as follow: Local - 10.3.3.0/24, Remote - 10.2.2.0/24; static route for 10.2.2.0/24 via tunnel.1; NAT rule to translate original 192.168.1.0/24 to 10.2.2.0/24; Rule to allow from 10.3.3.0/24 to 192.168.1.0/24. The problem with this scenario is that you have to put static route for the 10.2.2.0/24 via the tunnel interface. So the source will still use the NAT and traffic will take the correct path to the VPN tunnel, but if any other traffic passing through the Palo Alto firewall needs to go your local 10.2.2.0/24 (not the tunnel) you will have problems
- Perform the NAT on the ASA. This means you need: Proxy ID local 10.3.3.0/24, remote - 192.168.1.0/24; static route for 192.168.1.0/24 via tunnel.1; No NAT on the Palo Alto; Rule to allow 10.3.3.0/24 to 192.168.0/24. On the ASA you have to configure same encryption domain, but then perform NAT to translate 192.168.1.0/24 to 10.2.2.0/24. As you can see in this case on your end the config is straightforward and it is up to the other end to perform the proper NAT.
If your local network is completely overlapping with the remote - instead of 10.3.3.0/24 your local is again 10.2.2.0/24, you will need to do twice NAT on both ends.
hi @MP18 that depends which direction sessions will need to go in,and which subnets need to communicate
do you have exactly the same subnet or is 10.2.2.x just part of yours, and will there be connections coming from there or only a different part?
you may need to set up source and destination nat on your end so the vendor does not receive connections from his ip range
Yes we have same subnet 10.2.2.x in our network
so what i can do is have some other subnet as destination in my network and when traffic goes to tunnel do it destination nat to
10.2.2.x which is interstting traffic on vendor side.?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!