https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855548#M153406 <P>In that case the ISP is doing the NAT for you and forwards all traffic for 2.2.3.4 to your ASA.</P> <P>Just configure it with the public IPs as mentioned above. The packets from ASA1 will arrive with a destination of 192.168.1.1 on you ASA2, but ASA1 "sees" ASA2 as 2.2.3.4.</P> Wed, 01 Jun 2016 08:23:04 GMT Karsten Iwen 2016-06-01T08:23:04Z https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855545#M153403 <P>Dear all,</P> <P></P> <P>I have question.</P> <P></P> <P>Situation:</P> <P>ASA1 - ip address 1.2.3.4 (internet routable)</P> <P>ASA2 - ip address 192.168.1.1 (RFC1918) and NATed 2.2.3.4</P> <P>Address 2.2.3.4 is routed from internet to address 192.168.1.1.</P> <P></P> <P>I want to make ipsec tunnel between those two ASA.</P> <P></P> <P>But because ASA2 has RFC1918 address I need to make a NAT for routable address.</P> <P></P> <P>What I would like to achieve is: when comes packet from ASA1 (1.2.3.4) to 2.2.3.4, ASA2 makes NAT that : 2.2.3.4 = 192.168.1.1. Is it possible? Because this all is on outside interface.</P> <P></P> <P>So making some of static or twice NAT?</P> <P></P> <P>Thank you.</P> <P></P> <P>Pavel</P> <P></P> <P></P> Tue, 12 Mar 2019 07:49:38 GMT https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855545#M153403 Pavel Pokorny 2019-03-12T07:49:38Z https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855546#M153404 <P>If I understand you correctly, there is a NAT device in front of ASA2 that NATs the public IP 2.2.3.4 to the internal ASA-IP 192.168.1.1?</P> <P>Then there is no NAT to be configured on ASA2. You have to:</P> <OL> <LI>Configure the VPN on ASA1 with a peer address of 2.2.3.4</LI> <LI>Configure the VPN on ASA2 with a peer address of 1.2.3.4</LI> <LI>Make sure that the NAT-device allows UDP/500 and UDP/4500 to ASA2</LI> </OL> Wed, 01 Jun 2016 08:02:04 GMT https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855546#M153404 Karsten Iwen 2016-06-01T08:02:04Z https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855547#M153405 <P>Hi,</P> <P></P> <P>Thanks for responding.</P> <P></P> <P>No, there is no device in front of ASA2 making NAT (this would be also solution). There is just pure routing (point to point link between ASA2 and ISP is 192.168.1.0/28 - ie).</P> <P>So, by routing on ASA2 I got packet with source 1.2.3.4 and destination 2.2.3.4, but ASA2 doesn't know what to do with packet destined to address 2.2.3.4.</P> <P>I know, that this is not problem when mapped and real address are on diferent interfaces.</P> <P></P> <P>Does it make sense?</P> <P></P> <P>Thank you,</P> <P></P> <P>Pavel</P> Wed, 01 Jun 2016 08:13:43 GMT https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855547#M153405 Pavel Pokorny 2016-06-01T08:13:43Z https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855548#M153406 <P>In that case the ISP is doing the NAT for you and forwards all traffic for 2.2.3.4 to your ASA.</P> <P>Just configure it with the public IPs as mentioned above. The packets from ASA1 will arrive with a destination of 192.168.1.1 on you ASA2, but ASA1 "sees" ASA2 as 2.2.3.4.</P> Wed, 01 Jun 2016 08:23:04 GMT https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855548#M153406 Karsten Iwen 2016-06-01T08:23:04Z https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855549#M153407 <P>As I said, ISP is not doing NAT.</P> <P>I need to make NAT myself.</P> Wed, 01 Jun 2016 08:28:42 GMT https://community.cisco.com/t5/network-security/asa-with-twice-nat-on-outside-interface/m-p/2855549#M153407 Pavel Pokorny 2016-06-01T08:28:42Z