Site to Site VPN NATTING Destination Address

Tshi M · ‎05-21-2013

Hi all,

I am trying to establish a site to site VPN with a far side. However, what i would like to do is to NAT the destination address. So let say the destination address is 10.1.2.x/24, I would like to nat it to 192.168.3.x/24. The reason being that i already have a site to site vpn using 10.1.2.0/24 as destination.

Thanks,

lcambron · ‎05-21-2013

Hello,

Just to confirm, do you want to nat the destination IP for the remote network or for the peer device?

What version do you have?

Regards,

Felipe.

Jouni Forss · ‎05-21-2013

Hi,

I imagine there are 2 remote sites where there is overlapping networks.

To my understanding this shouldnt be possible even playing around with the NAT.

Shouldnt it be that in both cases the ASA would have to forward the traffic to the same destination network after the UN-NAT and couldnt really differentiate between the 2 L2L connections?

Either way the typical approach to this is to do the NAT at the remote site and not try to achieve any special NAT configurations on your side. It should be pretty basic for the remote site to do to get around this problem.

- Jouni

Tshi M · ‎05-22-2013

Thanks Jouni...my thoughts exactly but the remote refuses to NAT their side...

Tshi M · ‎05-22-2013

Hi Felipe,

Trying to NAT the remote subnet as it is overlapping with an existing site to site VPN...We are running 8.2.5

Thanks

Patrick Moubarak · ‎05-21-2013

the solution is you configure your VPN as if the destination network is 192.168.3.x/24

then you ask the other side to do a policy NAT only for the traffic through this VPN tunnel.

say your network is 172.16.1.0/24:

The far side policy would be for all traffic from his internal network (10.1.2.x/24) to your internal network (172.16.1.0/24) perform a static 1-to-1 nat to the 192.168.3.x/24 network.

This way your firewall will not know that there is an IP address conflict for 2 VPNs; otherwise the configuration will not work to have both VPN tunnels established to different peers that have the same subnets at the same time!

ex asa <= 8.2.x

access-list special-nat extended permit ip 10.1.2.0 255.255.255.0 172.16.1.0 255.255.255.0

static (inside,outside) 192.168.3.0 access-list special-nat netmask 255.255.255.0

show nat:

NAT policies on Interface inside:

match ip inside 10.1.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0

static translation to 192.168.3.0

ex asa >= 8.3

object network internal-net

subnet 10.1.2.0 255.255.255.0

object network special-NAT

subnet 192.168.3.0 255.255.255.0

object network remote-net

subnet 172.16.1.0 255.255.255.0

nat (inside,outside) source static internal-net special-NAT destination static remote-net remote-net no-proxy-arp

show nat detail:

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static internal-net special-NAT destination static remote-net remote-net

Source - Origin: 10.1.2.0/24, Translated: 192.168.3.0/24

Destination - Origin: 172.16.1.0/24, Translated: 172.16.1.0/24

Hope that helps,

Patrick

Tshi M · ‎05-22-2013

Thanks Patrick...I will find out if they are willing to do this.