Solved: nat internal network before sending over tunnel

erwee1973 · ‎10-28-2011

Hello,

For a customer I have configured a new ASA 5505 firewall with 8.42 software. I had to build 3 ipsec tunnels to different locations and firewalls. All tunnels are working except one. I have to translate the inside network 1 to 1 to a different private range before it is sent over the tunnel.

Each host from network 192.168.133.0 /24 has to be translated to a 192.168.112.0 /24 host and then sent over the tunnel. (e.g. 192.168.133.22 translated to 192.168.112.22)

How do I configure this?

Thanks in advance,

Regards,

Ralph

Arnhem, Netherlands

josecalv · ‎10-29-2011

Since Ralph is actually running version 8.4(2) the static command won't work. You will need something like this:

object network Internal-network

subnet 192.168.133.0 255.255.255.0

object network Translated-network

subnet 192.168.112.0 255.255.255.0

object network remote-site (This will be for the object for your remote VPn site)

subnet x.x.x.x 255.255.x.x

nat (inside,outside) 1 source static Internal-network Translated-network destination static remote-site remote-site

Thanks.

View solution in original post

Eugene Khabarov · ‎10-28-2011

It is simple if you need to translate your source addresses:

access-list NAT_BEFORE_ENCRYPT line 1 extended permit ip 192.168.133.0 255.255.255.0 any

static (Inside,Outside) 192.168.112.0 access-list NAT_BEFORE_ENCRYPT tcp 0 0 udp 0

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

josecalv · ‎10-29-2011