My DMZ = 100.64.0.0 /24
We wanted to reach 172.20.20.10 which is on the customer side but this conflicted with a network on our side.
Decided to use 172.22.20.10 as a NAT IP.
Changes on my side
object-group network MY_LAN
network-object 100.64.0.0 255.255.255.0
object-group network NAT_NET
network-object 172.22.20.0 255.255.255.0
Added below to VPN ACL
access-list CUST_VPN_ACL extended permit ip object-group MY_LAN object-group NAT_NET
no nat
nat (DMZ,OUTSIDE) source static MY_LAN MY_LAN destination static NAT_NET NAT_NET no-proxy-arp route-lookup
Customer side:
Added to vpn
access-list MYSIDE_VPN extended permit ip object-group NAT_NET object-group MY_LAN
HOST_REAL_IP = 172.20.20.10
HOST_XLATED_IP = 172.22.20.0 /24
nat (WIFI,OUTSIDE) source static HOST_REAL_IP HOST_XLATED_IP destination static MY_LAN MY_LAN
I could ping 172.22.20.10 and it responded.
No comments:
Post a Comment