Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26341
Views
21
Helpful
11
Replies

ASA SIte to Site VPN with NAT

Go to solution
Bmodlin
Level 1
Level 1

‎11-20-2017 07:34 PM - edited ‎03-12-2019 04:45 AM

I have to setup a site to site VPN between 2 ASAs.  One ASA is required to NAT the source network (local) (192.168.10.0/28) out the VPN tunnel as (10.10.10.8/28).  I am unclear on how to accomplish this.  How do I create these NATs for the VPN , while continuing to NAT the normal (Non-VPN) traffic from that same local subnet out as it is now?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-21-2017 12:16 AM - edited ‎11-21-2017 12:17 AM

You need to configure twice-NAT (here it's a policy-NAT) here. The source is translated from the object containing the network 192.168.10.0/28 to an object containing the network 10.10.10.X/28 (btw: .8 is not a valid network for a /28 subnet). In the NAT rule you also configuring a destination object of the remote-network which NATs to itself. It could look like the following:

nat (inside,outside) source static obj-192.168.10.0 obj-10.10.10.x destination static REMOTE-NET REMOTE-NET

 You crypto-definition has to use the 10.10.10-network, not the 192.168.10.

View solution in original post

11 Replies 11

Go to solution
Karsten Iwen
VIP
VIP

‎11-21-2017 12:16 AM - edited ‎11-21-2017 12:17 AM

You need to configure twice-NAT (here it's a policy-NAT) here. The source is translated from the object containing the network 192.168.10.0/28 to an object containing the network 10.10.10.X/28 (btw: .8 is not a valid network for a /28 subnet). In the NAT rule you also configuring a destination object of the remote-network which NATs to itself. It could look like the following:

nat (inside,outside) source static obj-192.168.10.0 obj-10.10.10.x destination static REMOTE-NET REMOTE-NET

 You crypto-definition has to use the 10.10.10-network, not the 192.168.10.

Go to solution
Bmodlin
Level 1
Level 1
In response to Karsten Iwen

‎11-22-2017 07:28 AM

Ok, thank you.  This makes sense.  My next question is how to configure the one to one NATs over the VPN.  For example, lets say I have  ServerA (192.168.10.10) that needs to be NATTed over the VPN as 10.10.10.10, but also needs to be NATTed as 71.71.17.17 out to the public internet.

 

How would I accomplish that?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Bmodlin

‎06-04-2020 11:47 PM

Here you have to think about the order of the NAT processing.

If you want to NAT a specific host through the VPN, this statement has to be placed before the NAT-exemption in section 1.

The specific NAT to the internet has to be placed before the general PAT to your interface or PAT pool. I always put these statements in section 3.

Go to solution
buffkata
Level 1
Level 1
In response to Karsten Iwen

‎06-05-2020 07:57 AM

Yes, but I am using destination nat. I need to nat the local network when going over the VPN.
example:
nat (inside,outside) source static OBJ-10.10.10.0 OBJ-192.168.0.0 destination static OBJ-172.16.0.0 OBJ-172.16.0.0
access-list cryptoACL extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
Phase 1 and 2 are completed.... sh nat shows nat rule have been hit but no traffic and no hitcounts on the cryptoACL.
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to buffkata

‎06-05-2020 08:03 AM

What does a simulation in Packet-Tracer show you?

0 Helpful

Go to solution
buffkata
Level 1
Level 1
In response to Karsten Iwen

‎06-05-2020 08:08 AM

ASA1 packet tracer shows VPN allowed - packets are send and I see encaps but no decaps - i think this side is configured corectly. ...ASA1 has a noNAT rule(NAT exemption) 

ASA2 packet tracer shows ACL drop - this is were the NAT (10.10.10.0 to 192.168.0.0)rule is applied.

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to buffkata

‎06-05-2020 09:08 AM

Does the Drop happen in the Interface ACL? Then check that and allow the traffic accordingly.

Go to solution
buffkata
Level 1
Level 1
In response to Karsten Iwen

‎06-05-2020 09:33 AM

Hmm .. I dont manage the remote ASA2 but will check next time when I get a chance. Seams to me that because the traffic comes from their "inside" interface it should be allowed by default ( but like I said I will check ). 

0 Helpful

Go to solution
buffkata
Level 1
Level 1
In response to Karsten Iwen

‎06-04-2020 05:07 PM

Thank you - That is correct - This is the first time I am building this VPN and I setup the correct NAT (per your recomendations ) but somehow I dont see hitcounts on the cryptoACL and the packets are send over the outside interface but not over the VPN ?
Do you have any Ideas why this is happening ?
0 Helpful

Go to solution
dgibelli
Level 1
Level 1
In response to buffkata

‎11-06-2022 01:57 AM

I have the same issue trying to source NAT traffic going to a remote site using VPN. I have found that you need to specify any instead of the interface where the tunnel terminates, see below:

nat (inside,outside) source static any NAT_Hide destination static 172.16.50.236 172.16.50.236 <----traffic is NAT'ed but goes out the outside interface not the tunnel

nat (inside,any) source static any NAT_Hide destination static 172.16.50.236 172.16.50.236 <----traffic is NAT'ed and goes out via the tunnel

I tested with 9.12(4) and 9.9(2)

0 Helpful

Go to solution
suman20kundu@yahoo.co.in
Level 1
Level 1

‎12-08-2022 08:04 AM

Please help me on this. I have ASA and my internal IP is 10.0.0.0/24 (LAN and RA VPN IP range) and my destination is 192.168.1.1/32, now I want to communication between them via site-to-site VPN but when I need to send the traffic to 192.168.1.1 it should be convert 11.0.0.0/24. 

0 Helpful
Customers Also Viewed These Support Documents