We are trying to bring up a L2L VPN to a vendor. The vendor's IP addresses overlap with one of our internal subnets. The vendor claims that they cannot apply a NAT on their side. Is there a way to configure NAT on my side to NAT the remote host? I tried creating a static entry
static (inside,outside) globalIP localIP subnet
The NAT seems to work, at least according to the xlate table, but I cannot bring up the tunnel.
1) will this actually work?
2) how should I define "interesting" traffic? Using the remote NAT or the remote real IP?
Thank you.
Jason
Hi Jason,
this is the packet flow in ASA:
PIX/ASA - VPN - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
---------------------------------------------------------------
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found
create a
new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. VPN - [encrypt] -
9. VPN - [ipsec-tunnel-flow] -
10. IP-OPTIONS - [] -
11. FLOW-CREATION - [] - If everything passes up until this point a
connection
is created.
12. FLOW-LOOKUP - [] - On the new header
13. ACCESS-LIST - [] - On the new header
14. FLOW-CREATION - [] -
15. ROUTE-LOOKUP - [output and adjacency]
Since route lookup is done before NAT, you have to change the ip address scheme at your end or ask them to nat.