Inside 10.250.11.10,11, 45<----asa----> outside 167.165.10.1 <-Internet> 155.16.35.1 outiside <-vpn device?> ---10.250.11.0

I am not familiar with their set up, but the only thing I was informed was that 10.250.11 might be used on their  end internally and if I could nat the hosts on inside to an outside IP address.

ASA running 8.0 (4)

Thanks again,

marramix01

Hi,

Well I guess you could do so that you NAT your whole local network to some other network so you wont have to do several single static NAT translations on the ASA just for this L2L VPN connection

You didn't mention anything about network masks so I'll use /24 which is pretty basic

So some base information for the configration:

Local network: 10.250.11.0/24

Local network (NAT): 192.168.11.0/24

Local LAN interface name: inside

Local OUTSIDE interface name: outside

Remote network: 10.250.10.0/24 ?

Static Policy NAT that is applied only when your connecting to the remote network of 10.250.11.0/24 (Or they connecting to your networks NATted IP addresses)

access-list L2L-VPN-POLICY-NAT remark L2L VPN Local Network NAT

access-list L2L-VPN-POLICY-NAT permit ip 10.250.11.0 255.255.255.0 10.250.11.0 255.255.255.0

static (inside,outside) 192.168.11.0 access-list L2L-VPN-POLICY-NAT

access-list L2L-VPN-ENCRYPTION-DOMAIN remark L2L VPN Encryption Domain ACL

access-list L2L-VPN-ENCRYPTION-DOMAIN permit ip 192.168.11.0 255.255.255.0 10.250.11.0 255.255.255.0

To  my understanding the above configuration should apply a NAT for every IP address of the /24 network to the NAT network of 192.168.11.0/24 when youre connecting from your local network to the remote network.

Though I'm abit wary of the Policy NAT statement where the actual source and destination network are the same. I did try it on my own ASA (though running newer 8.4 software with new NAT format) and it seemed to work.

What I'm also wondering that is it really possible that both of your networks have 10.250.11.0/24 subnet? Or did you just mean that theyre local network overlaps 10.250.11.0/24?

Would you be actually connecting to a host address of 10.250.11.x through the L2L VPN? I

- Jouni

Also,

The NAT doesnt necesarily have to be a Static NAT like I just showed above. But that depends on which party is initiating the connections through the L2L VPN.

If its just you connecting to remote hosts for services then you could simply do a Policy PAT translation towards the L2L VPN tunnel.

Then again if the remote end needs to connect to some services on your end, PAT is out of the question.

Atleast with the static translation you will guarantee connectivity between all the host.

One thing you should also consider is how you control traffic coming from the L2L VPN.

This depends much on the fact how you have set the "sysopt connection permit-vpn" setting. Having it on lets all traffic bypass outside access-list. Disabling it will mean you will have to permit the traffic coming from the L2L VPN tunnel in the outside interface access-list.

If you have the "sysopt connection permit-vpn" setting on. The only way to control traffic is to apply a VPN filter ACL to the L2L VPN connection

- Jouni