Hi Karsten,

Thank you for your swift reply.

Double NAT is what I am looking for. Is this in the ASA simply a matter of creating a NAT rule to translate 192.168.144.0/24 to, for example, 192.168.80.0/24 with destination their local subnet 192.168.90.0/24? To what subnet should our client setup his VPN tunnel? To the translated subnet on our side or to the original 144 subnet? I assume to the translated one but I'd rather double check.

The NAT-Option to use is "Add NAT Rule Before 'Network Object' NAT Rule..."

There you use an object for 192.168.144.0 (I used the wrong subnets 90 in my post above ...) for the source-address, and an object for your new network (192.168.80.0) as the translated source. The original destination address is the translated network of the other side, the translated destination is "original".

For IPsec, you need to extend the crypto definition to the translated network as the IPsec-tunnel only sees the translated traffic.

Let's say I just create the IPSec tunnel with 192.168.80.0/24 as our local subnet. The other side will configure that 80 subnet as well as Remote Local. Can't I just create the NAT rule then from 144 to 80 without extending the cryptomap?

NB: The client side will not NAT anything. They will be using their .90.0/24 subnet to which our tunnel has to connect. I will be the only one performing the double NAT to circumvent the subnet 144 on both sides issue.

192.168.80.0 needs to be the local subnet on one ASA and the remote subnet on the other. But you cant't use 192.168.144.0 any more, as this network needs to be hidden on both sides:

• The left network needs to see the right 144 network as something unique (e.g. 80)
• The right network also needs to see the left network as something unique (e.g. 81)

The crypto definition has to be 81 -> 80 on the left ASA and 80 -> 81 on the right ASA.

Can you please have a look at what I have so far? Please see the attachment.

You will see the created VPN tunnel, the NAT exemption rule I edited and the cryptomap.

I just read you post again (and again) ... The 144 networks don't have to communicate with each other? Only 144 on one side with 90 on the other?

Ok, then your config is fine and on the other ASA you just have to us a mirrored ACL in the crypto map 90 -> 80

On my last post I always had in mind that the networks 144 also have to communicate with each other ... Sorry for any confusion!

Hey, don't be sorry you taught me something new today! :-) I have never set up a VPN tunnel with double NAT before.

Yes indeed, our local 144 subnet should communicate with their 90 subnet. On their side they have another identical 144 subnet but that is not the one which should communicate with us over VPN. I just mentioned it because it is gonna be a problem when setting up a regular VPN tunnel.

So what I'm trying to achieve is this:
From us to client: 144>>NAT to 80>>VPN>>90
From client to us: 90>>VPN>>80>>NAT from 80 back to 144

Considering the above, is my configuration correct as showed in the screenshot?

Thanks again for your great help!
 

Yes, your config looks good for that. There is one point that needs to be checked. The connection-profile has the option "NAT Exemption" marked. With that, the ASA automatically generated a NAT rule without any NAT, but that's not what we want to have. Probably that has to be removed. 

Alright I set it up without NAT exemption and created the NAT rule manually like you described.

First I tried this out in a lab setting with real hardware. Connected an ASA5505 and an ASA5510 to each other. When setting up the tunnel, nothing happend. At all. The monitoring showed 0 sessions. Not even a negotiation happening. Commands like "sh cry isakmp sa" and "sh cry ipsec sa" said there were no ikev1/2 and ipsec sessions. Logging didn't show anything at all either. Tried the debug monitor in ASDM. Nothing at all there either like the 2 ASA's weren't communicating or initiating the VPN session at all. Thought it might be my configuration on the tunnel but when testing out a regular tunnel with a NAT exemption and without the double NAT, nothing happend either. I confirmed both ASA's could ping each other and even the PC's I connected on their inside interface were able to ping each other through regular NAT. But no communication at all when setting up a VPN tunnel. Very confusing. Will just test it out tomorrow in production and let you know if it works.

Thanks again for your help.

I got it working but I had to add 1 extra step. I created the VPN tunnel from my local subnet 80 to their local subnet 90 with a NAT exemption rule (this is necessary otherwise the ASA will try to NAT subnet 80). After the tunnel was created I added another regular NAT rule to translate subnet 144 to 80 and that was it. Works like a charm.