07-28-2008 06:06 AM - edited 03-11-2019 06:21 AM
have a vpn to another company and they are using the same addressing as us so I need to do some double natting. Not sure of how to do this for a vpn. Basically I want anything exiting from site A subnet of 10.1.1.0/24 to get translated to 10.6.7.1. Also anything going from a specific address in site A (10.1.1.67) gets translated to 10.6.7.2.
Thanks!
Solved! Go to Solution.
08-02-2008 07:48 AM
Donagh,
You need policy-based NAT for your VPN connections, something like:-
access-list inside_policy_nat extended permit ip host 10.1.1.67 <
static (inside,outside) 10.6.7.2 access-list inside_policy_nat
access-list no-nat extended permit ip host 10.6.7.2 <
access-list nat_vpn_company_x extended permit ip host 10.6.7.2 <
crypto map <
The above will:-
1) NAT the internal src IP from 10.1.1.67 to 10.6.7.2 when the destination is the remote company ip subnet
2) Once translated - will not re-NAT it again
3) Define the NAT'ted IP address as the interesting src IP to bring the tunnel UP and of course is used in the verification of the IPSEC encryption domains.
HTH>
08-02-2008 07:48 AM
Donagh,
You need policy-based NAT for your VPN connections, something like:-
access-list inside_policy_nat extended permit ip host 10.1.1.67 <
static (inside,outside) 10.6.7.2 access-list inside_policy_nat
access-list no-nat extended permit ip host 10.6.7.2 <
access-list nat_vpn_company_x extended permit ip host 10.6.7.2 <
crypto map <
The above will:-
1) NAT the internal src IP from 10.1.1.67 to 10.6.7.2 when the destination is the remote company ip subnet
2) Once translated - will not re-NAT it again
3) Define the NAT'ted IP address as the interesting src IP to bring the tunnel UP and of course is used in the verification of the IPSEC encryption domains.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide