VPN - NAT SOURCE - ASA 8.2(5)

Rodrigo Gurriti · ‎10-27-2011

Hello,

I have a problem with a VPN site to site :

access-list PROXY_ACL_VPN extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0

My INSIDE network is 10.0.0.0/24

The remote site is 192.168.0.0/24

The problem is that I cannot route the remote site on my network since I already have 192.168.0.0 inside my network. Is there a way to NAT this 192.168.0.0/24 to some think like 172.16.0.0/24

nat (outside) 10 192.168.0.0 255.255.255.0 outside

global (inside) 10 172.16.0.0 255.255.255.0

Would that work ?

I hear that the new 8.4 code makes it much simpler.

Regards

Eugene Khabarov · ‎10-27-2011

You can't make destination nat since you have same addresses inside your network. This is because of ASA order of operations. NAT wll be performed before routing, so after you NATed your destination, packet will be forwarded back to the inside interface toward 192.168.0.0/24 network. It is better to ask opposite site administrator to perform dst nat on received packets, intended to 172.16.0.0, so on your site you will have only crypto ACL like this:

access-list PROXY_ACL_VPN extended permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0

8.3/8.4 makes nat syntax really easier, as for me.

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"