Site-to-Site VPN same private LAN's How to Nat

risenshine4th · ‎12-22-2008

I'm migrating a Netscreen 10 config to a ASA 5510.

I'm trying to understand Nat across the tunnel.

LAN on both sides has 192.168.0.0 /24

Currently, I have several tunnels that Nat Networks and hosts to 10.50.70.10 . I would like to to understand how to properly NAT the tunnel traffic in the same manner using the ASA.

I've looked at documentation but it seems confusing.

Does anyone have a simple CLI config or ASDM example that may provide a working config I can play with?

inside 192.168.0.0. /24

outside 172.16.16.16 /24

dmz 192.168.1.0 /24

Nat address for Networks and hosts.

10.50.70.10

Also,

Can I use the same NAT for multiple tunnels?

John

JORGE RODRIGUEZ · ‎12-22-2008

Hi John,

I don't know if you have seen this link, if not take a look at it, in PIX/ASA you can accomplish the same , I do not know how netscreeen process NAT I cannot comment on it but I am sure it is probably the same principle. In your scenario you have several tunnels and have a tunnel at other end with same network as yours. You can use Policy NAT as this is how you can NAT overlapping networks, Policy NAT can be used in many other ways based on various requirements ... overlaping networks in L2L vpns is one of them.

I don't see why you could not use the same NAT network 10.50.70.0 for any other tunnels, it would be a matter to work with the crypto acls and policy nat access list.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

There is another link on NAT functionality I cannot locate now but I will provide it as soon as I find it.

Regards

Jorge Rodriguez