11-01-2011 09:15 AM
OK, This is confusing me....
I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using 192.168.1.0 networks. All have public IP's and very little knowledge so are unable to NAT from their end.
The idea is to create some /28 blocks of IP's (172.29.0.0/28) and manage this on our end.
How do I get this to work?
Thanks in advance....
Brent
example: (all IP's are fictional)
tunnel1
VPN
My side "outside" 10.10.10.10
Their side "outside" 20.20.20.20
Networks
My side "inside" 172.30.30.0
Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.0/28
tunnel2
VPN
My side "outside" 10.10.10.10
Their side "outside" 30.30.30.30
Networks
My side "inside" 172.30.30.0
Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.16/28
tunnel3
VPN
My side "outside" 10.10.10.10
Their side "outside" 40.40.40.40
Network (single address)
My side "inside" 172.30.30.1 255.255.255.255
Their side "inside" 192.168.1.1 255.255.255.255 NAT'ed to 172.29.0.33 255.255.255.255
11-01-2011 09:53 AM
Hi bbanderson,
If I am not wrong, we need to incorporate just a dynamic(or static, but more cumbersome to manage) nat on the outside interface for the source address range:
ip nat outside source static or list command mapping the source subnet(192.168.1.0 in your case) to 172.29.0.0.
HTH
Cheers
Arun
11-01-2011 12:06 PM
Arun,
Thank you for the quick reply.
I have one question, will that NAT handle multiple VPN tunnels? (see example above) including the direct IP to IP NAT listed as tunnel3 above? (the "NAT'ed" statement is an illustration of what I would like to do with each tunnel)
Thanks again,
Brent
11-01-2011 11:05 PM
Hi bbanderson,
It can handle multiple VPN NATs.
All youve got to do is make multiple instances of the same crypto-map
like crypto-map crypto-map-name 1 peer-ip
" " 1 transform-set ....etc, etc.
crypto-map crypto-map-name 2
" " 2 transform-set ....etc, etc.
for the different peers 10.10.10.10, 20.20.20.20, etc, and match the ip address to each access-list there under each map instance.
crypto map Outside_map0 3 match address -this can be taken as an example.
HTH
Cheers
Arun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide