Solved: NAT translation on an ASA for a VPN

donaghq_2 · ‎07-28-2008

have a vpn to another company and they are using the same addressing as us so I need to do some double natting. Not sure of how to do this for a vpn. Basically I want anything exiting from site A subnet of 10.1.1.0/24 to get translated to 10.6.7.1. Also anything going from a specific address in site A (10.1.1.67) gets translated to 10.6.7.2.

Thanks!

andrew.prince · ‎08-02-2008

Donagh,

You need policy-based NAT for your VPN connections, something like:-

access-list inside_policy_nat extended permit ip host 10.1.1.67 <>

static (inside,outside) 10.6.7.2 access-list inside_policy_nat

access-list no-nat extended permit ip host 10.6.7.2 <>

access-list nat_vpn_company_x extended permit ip host 10.6.7.2 <>

crypto map <> <> match address nat_vpn_company_x

The above will:-

1) NAT the internal src IP from 10.1.1.67 to 10.6.7.2 when the destination is the remote company ip subnet

2) Once translated - will not re-NAT it again

3) Define the NAT'ted IP address as the interesting src IP to bring the tunnel UP and of course is used in the verification of the IPSEC encryption domains.

HTH>

View solution in original post

andrew.prince · ‎08-02-2008