Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
6
Helpful
3
Replies

Configuring VPN on ASA with NAT

claude.fozao
Level 1
Level 1

‎02-07-2011 06:21 AM

Dear all,

I have a VPN connection to set with my partner and he has given me a private range of addresses to use as my private addressess. What I have to do is to NAT my private addresses to the private addresses he gave me. Lets assume that the addresses given to me is X.X.X.X mask 255.255.255.40 and my private address is Y.Y.Y.Y with mask 255.255.255.255. I have to NAT Y.Y.Y.Y to X.X.X.X but when I did that, the VPN is not working.Find my config below

global(outside) 2 X.X.X.17-X.X.X.30

Nat(inside) 2  ACL_NAME

access-list ACL_NAME defines the TRAFFIC to NAT from my private IP to remote private network.

When I NAT, the source address of my packets changes. When defining my interesting traffice using an ACL, What will I use as the source address. Will I use the orignal IP address or the NATed Address.

It is possible to NAT traffic that I am going to Encrypt?

I will be very grateful for your help as usual.

Regards

Labels:
0 Helpful
3 Replies 3

Praveena Shanubhogue
Level 1
Level 1

‎02-07-2011 06:43 AM

Hi Claude,

Let us use the following terms:

You original ip address range: y.y.y.y

For VPN sake, traffic is being NAT'ed to: x.x.x.x

Subment mask: m.m.m.m

access-list VPN-policy perm ip y.y.y.y to

nat (inside) VPN-Policy

global (outside) x.x.x.x

So far so good as you have already configured.

VPN interesting traffic has to be from the NAT'ed ip address range i.e. x.x.x.x to

We are going to encrypt the traffic after it has been NAT'ed.

HTH

Regards,

Praveen

claude.fozao
Level 1
Level 1
In response to Praveena Shanubhogue

‎02-07-2011 12:38 PM

Hi Praveen,

Before I post my complaint on the forum, I had already NATed and configured my interesting traffic the way you told me to but my VPN connection is still not working. For the pass VPNs I configured, I had to configure my access-list controlling outgoing traffic to permit info leaving my private IP going to remote Private IP. In this case when configuring my access-list controlling outgoing info, what will be the source IP? Will it be the NATed IP or the original IP.

Thanks and Regards

Praveena Shanubhogue
Level 1
Level 1
In response to claude.fozao

‎02-08-2011 01:00 AM

Hi Claude,

Are you talking about access-list applied on inside interface?

On the inside interface, permit access-list entrty would be "permit "

HTH

Regards,

Praveen

0 Helpful
Customers Also Viewed These Support Documents