Solved: Re: Private to Private NAT on IPSEC VPN

Srinivasan Nagarajan · ‎01-06-2018

Hi Experts,

We're planning to build IPSEC Site to Site VPN with our clients. Our Internal subnets for VPN domain is 172.16.0.0/24. In order to hide our Internal LAN , we've been asked to NAT to another Private Subnet so this can be advertised as VPN domain. This looks like Private to Private NAT. I'm not sure about this.

Could some one please advise me with the model configuration. We're using Version 9.6(2). Thanks in Advance.

Mohammed al Baqari · ‎01-06-2018

This should be fine.

object-group network private-inside
network-group 172.16.0.0/24

object-group network private-outside
network-group 192.168.0.0/24

object-group network remote-lan
network-group x.x.x.x/x

nat (inside,vpn) source static private-inside private-outside destination
remote-lan remote-lan no-proxy

View solution in original post

Mohammed al Baqari · ‎01-06-2018

This should be fine.

object-group network private-inside
network-group 172.16.0.0/24

object-group network private-outside
network-group 192.168.0.0/24

object-group network remote-lan
network-group x.x.x.x/x

nat (inside,vpn) source static private-inside private-outside destination
remote-lan remote-lan no-proxy

Fotiosmark · ‎03-08-2018

great article.... :) but what about on the ACL level? Which obj network do we use? the priv-outside or the private inside? I assume the outside...?

Srinivasan Nagarajan · ‎07-29-2018

Hi Fotiosmark,

If you're using Version 8.3+, we'll use REAL IP (private inside) in ACL instead of NAT'd IP