Hi All

Need advice on the following:

Have a ASA (version 8.2) configured as a EZVPN client, the EZVPN server is a ASA at another establishment which we breakout from. All traffic from inside has to go through the VPN for connectivity.

The ASA has a inside interface of 192.168.1.160 /29 , is also acting as a DHCP server, users get assigned a IP from .162 to .166, ASA inside interface is .161)

I need to expand this range to a /28 (.162 to 174) to accommodate more users.

Problem is we cant amend the EZVPN server end or the crypto ACL to match the new subnet mask for the range already being exchanged. 

EZVPN server Crypto ACL:

access-list _vpnc_acl extended permit ip 192.168.1.160 255.255.255.248 any

Local end EZVPN Client, NAT exemption ACL:

access-list _vpnc_no_nat_acl line 1 extended permit ip any any

Solution

I change the DHCP scope and the inside interface to a /28, then NAT anything from the inside interface to 1 single IP (192.168.1.162) which falls within the current range being exchanged across the tunnel before it goes out, this should allow us to have more users, as far as the VPN is concerned everyone will appear and go out the tunnel as .162 which is within the /28 already being exchanged.

Current config and NATs: (Interface and DHCP scope has already been changed to /28 from /29)