IPsec VPN Question

sherrikhan · ‎08-27-2015

Hi We are going to have ipsec VPN (LAN to LAN) we have ASA 5510

The scenario is that customer has two IP subnets (192.168.1.0/24. 192.168.2.0/24). there outside IP address to which VPN will be make is 1.1.1.1 (suppose) the issue is that the customer wants to NAT the two subnets to the outside interface.I have never done this sort of scenario where the VPN termination IP and interesting traffic is same IP?

any idea or comments would be really appriciated

pjain2 · ‎09-03-2015

Hey,

To be able to nat the internal subnets 192.168.1.0/24 and 192.168.2.0/24, you need to do the following:

let us assume that the remote destination that you need to access is 10.10.10.0/24 network.

you need to configure the crypto acl as follows:

access-list cryptoacl perm ip host 1.1.1.1 10.10.10.0 255.255.255.0

To nat the traffic:

pre 8.2:

===========

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 interface

post 8.3:

==========

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

nat (inside,outside) dynamic interface

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic interface

NOTE: the above config is valid if there is no other tunnel on this ASA. If there is another tunnel on this ASA through which 192.168.1.0/24 and 192.168.2.0/24 networks need to access the remote subnets, then nat-exemption needs to be configured for the traffic through that tunnel.