Skip to main content

 

 

Cisco Defense Orchestrator

Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface

About this NAT Use Case

Use this Twice NAT use case to enable site to site VPN.

Strategy

You are translating a pool of IP addresses to itself so that the IP addresses in one location on the network arrives unchanged in another. 

Prerequisites

Create a network object with the named Site-to-Site-PC-Pool. The value of the object should be a range of addresses that you want to be able to reach a particular resource elsewhere on the network. 

Create a Twice NAT Rule

  1. On the Devices & Services page, select the ASA you want to create the NAT rule for.
  2. Click View NAT Rules in the Policy section of the Actions pane.
  3. Click Create NAT Rule > Twice NAT
  4. In section 1, select Static. Click Continue.
  5. In section 2, choose inside for the source interface and outside for the destination interface. Click Continue.
  6. In section 3, make these changes:
  • Expand the Original Address menu, click Choose, and select the Site-to-Site-PC-Pool object you created in the prerequisites section. 
  • Expand the Translated Address menu, click Choose, and select the Site-to-Site-PC-Pool object you created in the prerequisites section. 
  1. Click Save.
  2. Use the ASA to create a crypto map. See CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide and review the chapter on LAN-to-LAN IPsec VPNs for more information on creating a crypto map.
  3. Return to the Devices & Services page, select the ASA on which you made this change, and Write changes... to the ASA. 

Entries in the ASA's Saved Configuration File

Objects created by this procedure  

object network Site-to-Site-PC-Pool
 range 10.10.2.0 10.10.2.255

NAT rule created by this procedure

nat (inside,outside) source static Site-to-Site-PC-Pool Site-to-Site-PC-Pool

  • Was this article helpful?