Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1914
Views
0
Helpful
3
Replies

[ASA] VPN with source nat

sandman42
Level 1
Level 1

‎04-04-2012 12:09 AM

Hi,

I'd need to set up site-to-site VPN using ASA 5505 and software 8.2.

LAN1 is 10.1.0.0/24, LAN2 is 10.2.0.0/24

The particular thing among the others I've ever set up is that I have to show up to LAN1 as 172.16.1.0/24, and not as 10.1.0.0/24.

I have 10.1.0.0/24 as NAT extempt rule, in order to make packet travel the ipsec tunnel, but how can I set up a NAT rule in order to modify LAN2 address and show up to LAN1 as 172.16.1.x instead of 10.2.0.x???

Thanks a lot

Ciao

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-04-2012 12:20 AM

Hi,

Is the remote end device also an ASA?

Do you have control over it?

You can (for example) do a Policy NAT on the remote site to achieve this

access-list L2L-VPN-POLICYNAT permit  ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0

static (inside,outside) 172.16.1.0 access-list L2L-VPN-POLICYNAT

Please also remember that you have to take this into account in the VPN configurations as the LAN2 will not be showing to the L2L VPN connection anymore with its original IP address.

You will have to modify the "crypto map match address   access-list on both side ASAs to reflect the NAT changes that you have just done.

Please rate if it was helpful

- Jouni

0 Helpful

sandman42
Level 1
Level 1
In response to Jouni Forss

‎04-04-2012 12:51 AM

No JouniForss,

I don't have any access to remote router.

But If I have to ask them something, just tell me what to ask.

Ciao and thanks

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to sandman42

‎04-04-2012 03:26 AM

Hi,

Could you explain a bit more about the situation.

I mean like the following things

  • Whats the relationship with the 2 sites? Are you providing some service to them or they to you? Is the other site just another site of your company?
  • Why is there a need to NAT the 10.2.0.0/24 network to 172.16.1.0/24? Are you planning on using the 10.2.0.0/24 network in your own LAN?
  • Is there any L2L VPN configured at the moment?
  • Have you configured a L2L VPN with the ASA before?
  • Does the remote site have a person able to configure the L2L VPN?

For one I would suggest that you handle the NAT at the local device of the network that needs to be visible with a different network/address to the L2L VPN connection.

You will also have to take into consideration this in the encryption domain configurations of the ASA and the remote router. This is ofcourse because the site1/site2 networks for the L2L VPN wont be the same anymore after the NAT has been applied.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents