I have a query on natting on 8.4 ASA. We are going to configure IPsec tunnel with our client. Our client has provided a single ip(192.168.32.11) which would be the source at his end. Is it possible to Nat my end network(10.130.20.0/24) with logical ip (192.168.32.11) which is not configured anywhere.
here are details.
my end internal network(inside) : (10.130.20.0/24)
logical ip to be natted my internal ip: (192.168.32.11)
Client end network : (10.100.10.0/24)
If yes, pls share command also.
Solved! Go to Solution.
I'm not quite sure what you mean here...
If you specifically want your LAN to show to the client network with a single IP address of 192.168.32.11 then you naturally would NOT do NAT0 as the NAT0 / NAT Exempt does no NAT for your LAN addresses. Wasnt the purpose to PAT all your LAN traffic to this single IP address of 192.168.32.11 before it goes to the REMOTE-LAN?
If you do PAT translation only towards the Client then you dont need to open anything from the Client towards your PAT IP as its a shared IP address for many LAN hosts. You cant really open anything towards PAT IP address.
Naturally you will need to make sure to allow any traffic you need in your "inside" interface ACL to the REMOTE-LAN unless that traffic is already allowed.
You can do a Dynamic PAT towards the remote network through the L2L VPN
The configuration would be something like this
object network REMOTE-LAN
subnet 10.100.10.0 255.255.255.0
object network LOCAL-LAN
subnet 10.130.20.0 255.255.255.0
object network L2L-VPN-PAT
nat (inside,outside) source dynamic LOCAL-LAN L2L-VPN-PAT destination static REMOTE-LAN REMOTE-LAN
Notice that if you do this NAT configuration then your L2L VPN ACL that defines the traffic will only include the L2L-VPN-PAT object IP address as your source address for the L2L VPN connection
Hopefully the above information has been helpfull Please rate if so.
Naturally ask more if something was unclear