Solved: Re: ASA 5506 VPN site to site with double nat

mohamed.fawzy2012 · ‎10-04-2017

i have built vpn site to site with other site and it is up

also i have inside server which is published with publich IPs

for example ,

first server private (10.10.1.1) >>> its public (1.1.1.1)

second server private (10.10.1.2) >>> its public (1.1.1.2)

now i want the other site can see public ip not private IP inside the vpn tunnel

and me also will see their public Ip not private inside tunnel

how is that possible

GioGonza · ‎10-04-2017

Hello @mohamed.fawzy2012,

As far as I understand, you want to perform NAT on both sides of the VPN tunnel and traverse the traffic through it, the changes must be on the NAT and Encryption Domain.

The NAT should be between your source translating to your Public IP when the traffic goes to the Public IP on the other side, something like this:

nat (inside,outside) source static 10.10.1.1 1.1.1.1 destination static <Public IP Remote Side> <Public IP Remote Side> no-proxy-arp route-lookup

They need to do the same change on the Remote side and apply the ACL for the crypto with the Public IPs instead of the private IPs.

HTH

Gio

View solution in original post

GioGonza · ‎10-04-2017

Hello @mohamed.fawzy2012,

As far as I understand, you want to perform NAT on both sides of the VPN tunnel and traverse the traffic through it, the changes must be on the NAT and Encryption Domain.

The NAT should be between your source translating to your Public IP when the traffic goes to the Public IP on the other side, something like this:

nat (inside,outside) source static 10.10.1.1 1.1.1.1 destination static <Public IP Remote Side> <Public IP Remote Side> no-proxy-arp route-lookup

They need to do the same change on the Remote side and apply the ACL for the crypto with the Public IPs instead of the private IPs.

HTH

Gio