Hello. Pls find my answers inline

I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.

Answer: Thats correct.

Later on it seems that you have configured this to some interface on the ASA?

Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.

So  are you attempting to NAT some other LAN networks to this single NAT  network before the traffic heads to the L2L VPN connection on your ASA?

Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.

Can  you then mention what are the source networks and source interfaces for  these networks? What is the destination network at the remote end of  the L2L VPN connection?

Answer:    Source networks =  10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series.  Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.

Do  you want to just do a NAT Pool of the 192.168.50.0/24 network for all  your Internet users OR does the remote end also have to be able to  connect to some of your sites hosts/servers?

Answer:  Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.

The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me.

Yes. ASA 8.3 version looks more complex  to me.

I am having following versions in my ASA 5510 >>

ASA version 8.3(1)

ASDM version 6.3(1)

I actually prefer the 8.3+ NAT configuration. It's a lot more intuitive when you get used to it. Here's a sample config that I believe will work, but I have not had a chance to throw it up in the lab yet. Feel free to change any of this to suit your needs.

object-group network Private-Networks

   network-object 10.100.0.0 255.255.0.0

   network-object 192.168.222.0 255.255.255.0

object-group network NATTED-Private-Network

   network-object 192.168.50.0 255.255.255.0

object-group network Destination-VPN-Networks

   network-object 192.168.228.0 255.255.255.0

   network-object 192.168.229.0 255.255.255.0

nat (inside,outside) source dynamic Private-Networks NATTED-Private-Networks destination static Destination-VPN-Networks Destination-VPN-Networks

This should utilize the 192.168.50/24 network as a dynamic NAT pool. If you prefer to use the subnet as a dynamic PAT pool, use the following NAT configuration:

nat (inside,outside) source dynamic Private-Networks pat-pool NATTED-Private-Networks destination static Destination-VPN-Networks Destination-VPN-Networks

Also note, when defining your access-list for VPN traffic, in 8.3+ you still need to use the mapped IP addresses. The ASA uses the access-list to determine the phase 2 SAs and doesn't perform NAT prior to bringing up phase 2. This is the opposite of normal interface access-lists in 8.3+.

Regards,

Mike

Please remember to rate helpful posts.