cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
541
Views
0
Helpful
3
Replies
bbanderson
Beginner

How do I NAT inbound traffic from a site to site VPN?

OK, This is confusing me....

I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using 192.168.1.0 networks. All have public IP's and very little knowledge so are unable to NAT from their end.

The idea is to create some /28 blocks of IP's (172.29.0.0/28) and manage this on our end.

How do I get this to work?

Thanks in advance....

Brent

example: (all IP's are fictional)

tunnel1

VPN

My side "outside" 10.10.10.10

Their side "outside" 20.20.20.20

Networks

My side "inside" 172.30.30.0

Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.0/28

tunnel2

VPN

My side "outside" 10.10.10.10

Their side "outside" 30.30.30.30

Networks

My side "inside" 172.30.30.0

Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.16/28

tunnel3

VPN

My side "outside" 10.10.10.10

Their side "outside" 40.40.40.40

Network (single address)

My side "inside" 172.30.30.1 255.255.255.255

Their side "inside" 192.168.1.1 255.255.255.255 NAT'ed to 172.29.0.33 255.255.255.255

3 REPLIES 3
Arun Nair
Beginner

Hi bbanderson,

If I am not wrong, we need to incorporate just a dynamic(or static, but more cumbersome to manage) nat on the outside interface for the source address range:

ip nat outside source static or list command mapping the source subnet(192.168.1.0 in your case) to 172.29.0.0.

HTH

Cheers

Arun

Arun,

Thank you for the quick reply.

I have one question, will that NAT handle multiple VPN tunnels? (see example above) including the direct IP to IP NAT listed as tunnel3 above? (the "NAT'ed" statement is an illustration of what I would like to do with each tunnel)

Thanks again,

Brent

Hi bbanderson,

It can handle multiple VPN NATs.

All youve got to do is make multiple instances of the same crypto-map

like crypto-map crypto-map-name 1 peer-ip

            "                    "               1 transform-set ....etc, etc.

     crypto-map crypto-map-name 2

         "                    "                 2 transform-set ....etc, etc.

for the different peers 10.10.10.10, 20.20.20.20, etc, and match the ip address to each access-list there under each map instance.

crypto map Outside_map0 3 match address -this can be taken as an example.

HTH

Cheers

Arun