I need to nat the network 172.2.1.0/25 subnet to 10.1.4.1/28 yes this is for VPN.

I also have the 172.2.1.0/25 subnet in another nat statment for internet access. I guess my question is will there be a conflict if the source address is in two nat statements?

Since we are talking about a NAT configuration that is supposed to serve a L2L VPN connection then you should naturally configure a Dynamic Policy NAT+PAT since the real and mapped network arent of equal size. (since the NAT Pool is smaller your hosts using the VPN might run out of NAT addresses)

Dynamic Policy NAT+PAT should also be used because you want this NAT to apply only when users are connecting to a specific network(s) behind a L2L VPN connection. This way it wont overlap/interfere with your default Dynamic PAT/NAT configuration.

For ASA 8.2 (and older) software levels

• The ACL defines the situation where this NAT applies
  • Think of it as "when this source network connects to this remote network THEN apply this NAT"

access-list DYNAMIC-POLICYNAT remark Define the Traffic that Needs the Policy NAT

access-list DYNAMIC-POLICYNAT permit ip 172.2.1.0 255.255.255.128

global (outside) 100 10.1.4.1-10.1.4.13

global (outside) 100 10.1.4.14

nat (inside) 100 access-list DYNAMIC-POLICYNAT

For ASA 8.3 (and newer) software levels

• Operation is the same as above but the configuration format is for the new NAT configuration format introduced in 8.3(1) software
  

object network REMOTE-LAN

subnet

object network LOCAL-LAN

subnet 172.2.1.0 255.255.255.128

object network NAT-POOL

range 10.1.4.1 10.1.4.13

object network PAT

host 10.1.4.14

object-group network NAT+PAT

network-object object NAT-POOL

network-object object PAT

nat (inside,outside) source dynamic LOCAL-LAN NAT+PAT destination static REMOTE-LAN REMOTE-LAN

Naturally in both cases minor adjustments might be needed depending on the number of hosts/networks on the remote side of the L2L VPN.

Hopefully this helps. Please rate if so and mark the question as answered if it did.

Otherwise ask more if I understood something wrong

- Jouni

I think I understand. What would the remote-lan be?

Hi,

If you are configuring a specific NAT for a L2L VPN connection then the remote lan would naturally be the remote network of the L2L VPN connection. Naturally depending on your VPN setup there might be multiple remote networks or even just a single host. I can only guess since you have only given information about the source network to be NATed and the actual NAT addresses to be used.

The main point here is that we define the new NAT so that it only applies to the traffic using the VPN connection and wont affect the Internet traffic at all.

- Jouni

So I create a group that has my nat-pool and a pat? That I don't understand. Everything else I understand.

So are you saying that your firewall is running 8.3+ software?

I gave examples of the same NAT configuration for 2 different NAT configuration formats depending on the software level of your firewall.

If you are using 8.3 or newer software then here is the explanation for the above mentioned NAT configuration

object network REMOTE-LAN

subnet

object network LOCAL-LAN

subnet 172.2.1.0 255.255.255.128

object network NAT-POOL

range 10.1.4.1 10.1.4.13

object network PAT

host 10.1.4.14

object-group network NAT+PAT

network-object object NAT-POOL

network-object object PAT

nat (inside,outside) source dynamic LOCAL-LAN NAT+PAT destination static REMOTE-LAN REMOTE-LAN

• REMOTE-LAN = Is used to define the destination network(s) for this NAT configuration
• LOCAL-LAN = Is used to define the source network(s) for this NAT configuration
• NAT-POOL = Is used to define the NAT Pool address range
• PAT = Is used to define the PAT address for situations where the NAT-POOL runs out
• NAT+PAT = Is used to group the NAT-POOL and PAT objects under a single object that we can then use in the NAT configuration
• nat = Is the actual NAT configuration line that says that the network under LOCAL-LAN will be translated to some IP address under the NAT+PAT when the connection is taken towards REMOTE-LAN

I could give more specific answer if I knew more about your specific situation.

- Jouni

I'm running 8.6

My remote lan object would be various hosts and not a subnet. I created a group for this but the nat command is barking at me.

It says subnet can not be used as mapped source in dynamic NAT policy.

This is how it would look. The remote LAN is various hosts.

NAT Pool                                                      Remote-LAN

10.1.4.112  /28                ------->                10.101.240.5  255.255.255.255 

10.1.4.112  /28                ------->                10.105.1.33    255.255.255.255

10.1.4.112  /28                ------->                10.105.1.50    255.255.255.255 

10.1.4.112  /28                ------->                10.105.1.53    255.255.255.255

10.1.4.112  /28                ------->                10.241.13.20  255.255.255.255 

Hi,

If you need to define multiple hosts or networks in the REMOTE-LAN object then you can configure it as a "object-group network REMOTE-LAN"

For example

object-group network REMOTE-LAN

  network-object host 10.101.240.5

  network-object host 10.105.1.33

  network-object host 10.105.1.50

  network-object host 10.105.1.53

  network-object host 10.241.13.20

object network LOCAL-LAN

subnet 172.2.1.0 255.255.255.128

object network NAT-POOL

range 10.1.4.1 10.1.4.13

object network PAT

host 10.1.4.14

object-group network NAT+PAT

network-object object NAT-POOL

network-object object PAT

nat (inside,outside) source dynamic LOCAL-LAN NAT+PAT destination static REMOTE-LAN REMOTE-LAN

- Jouni

Hi,

I inserted completely wrong example IPs in the above reply at first.

Its now edited with the example IPs you gave in an earlier reply.

- Jouni

Tried that this is the error I'm getting

ERROR: Subnet can not be used as mapped source in dynamic NAT policy.

Hi,

You are most probably trying to configure something different than what I have written above.

I have tested this on my own ASA and there are no problems.

What is the exact NAT configuration  and the related objects and object-groups you are trying to insert?

- Jouni