Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
0
Helpful
2
Replies

Site to Site VPN - NAT Internal Network

Go to solution
mattesong
Level 1
Level 1

‎02-01-2014 08:34 PM

Hello All,

     I have a site to site VPN setup (both sites have Cisco ASA's) where my internal network is 192.168.1.0/24 and the other site's internal network happens to have the exact same internal network. Is there a way that I can NAT my internal address to 172.18.1.0/24 and have that work? It should then allow both sites to successfully communicate. Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-02-2014 05:58 AM

Hi,

You will have to NAT at both ends of the L2L VPN connection. This is because even if you NAT the other end to a different network it will still mean that this site would have to connect to a destination address that is seemingly in its own network and the connections would fail.

The configuration format depends on your ASAs software level

Software 8.2 (and below)

access-list L2LVPN-POLICYNAT remark Policy NAT for L2L VPN

access-list L2LVPN-POLICYNAT permit

static (inside,outside) access-list L2LVPN-POLICYNAT

Software 8.3 (and above)

object network LAN

subnet

object network LAN-NAT

subnet

object network REMOTE

subnet

nat (inside,outside) source static LAN LAN-NAT destination static REMOTE REMOTE

Do notice to use the correct networks in the above statements. The destination network in the configurations is naturally the NAT network the other site is using.

In the same say you will have to make sure that your L2L VPN connections Crypto ACL uses the local NAT network as the source and the remote NAT network as the destination.

Hope this helps

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-02-2014 05:58 AM

Hi,

You will have to NAT at both ends of the L2L VPN connection. This is because even if you NAT the other end to a different network it will still mean that this site would have to connect to a destination address that is seemingly in its own network and the connections would fail.

The configuration format depends on your ASAs software level

Software 8.2 (and below)

access-list L2LVPN-POLICYNAT remark Policy NAT for L2L VPN

access-list L2LVPN-POLICYNAT permit

static (inside,outside) access-list L2LVPN-POLICYNAT

Software 8.3 (and above)

object network LAN

subnet

object network LAN-NAT

subnet

object network REMOTE

subnet

nat (inside,outside) source static LAN LAN-NAT destination static REMOTE REMOTE

Do notice to use the correct networks in the above statements. The destination network in the configurations is naturally the NAT network the other site is using.

In the same say you will have to make sure that your L2L VPN connections Crypto ACL uses the local NAT network as the source and the remote NAT network as the destination.

Hope this helps

- Jouni

0 Helpful

Go to solution
mattesong
Level 1
Level 1
In response to Jouni Forss

‎02-02-2014 11:35 AM

Thank you, this has been very helpful. Hopefully I won't break anything!

- Gabe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents