Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
3
Replies

How do I NAT inbound traffic from a site to site VPN?

bbanderson
Level 1
Level 1

‎11-01-2011 09:15 AM

OK, This is confusing me....

I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using 192.168.1.0 networks. All have public IP's and very little knowledge so are unable to NAT from their end.

The idea is to create some /28 blocks of IP's (172.29.0.0/28) and manage this on our end.

How do I get this to work?

Thanks in advance....

Brent

example: (all IP's are fictional)

tunnel1

VPN

My side "outside" 10.10.10.10

Their side "outside" 20.20.20.20

Networks

My side "inside" 172.30.30.0

Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.0/28

tunnel2

VPN

My side "outside" 10.10.10.10

Their side "outside" 30.30.30.30

Networks

My side "inside" 172.30.30.0

Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.16/28

tunnel3

VPN

My side "outside" 10.10.10.10

Their side "outside" 40.40.40.40

Network (single address)

My side "inside" 172.30.30.1 255.255.255.255

Their side "inside" 192.168.1.1 255.255.255.255 NAT'ed to 172.29.0.33 255.255.255.255

Labels:
0 Helpful
3 Replies 3

Arun Nair
Level 1
Level 1

‎11-01-2011 09:53 AM

Hi bbanderson,

If I am not wrong, we need to incorporate just a dynamic(or static, but more cumbersome to manage) nat on the outside interface for the source address range:

ip nat outside source static or list command mapping the source subnet(192.168.1.0 in your case) to 172.29.0.0.

HTH

Cheers

Arun

0 Helpful

bbanderson
Level 1
Level 1
In response to Arun Nair

‎11-01-2011 12:06 PM

Arun,

Thank you for the quick reply.

I have one question, will that NAT handle multiple VPN tunnels? (see example above) including the direct IP to IP NAT listed as tunnel3 above? (the "NAT'ed" statement is an illustration of what I would like to do with each tunnel)

Thanks again,

Brent

0 Helpful

Arun Nair
Level 1
Level 1
In response to bbanderson

‎11-01-2011 11:05 PM

Hi bbanderson,

It can handle multiple VPN NATs.

All youve got to do is make multiple instances of the same crypto-map

like crypto-map crypto-map-name 1 peer-ip

            "                    "               1 transform-set ....etc, etc.

     crypto-map crypto-map-name 2

         "                    "                 2 transform-set ....etc, etc.

for the different peers 10.10.10.10, 20.20.20.20, etc, and match the ip address to each access-list there under each map instance.

crypto map Outside_map0 3 match address -this can be taken as an example.

HTH

Cheers

Arun

0 Helpful
Customers Also Viewed These Support Documents