05-27-2021 03:26 AM
We are trying to form a VPN tunnel with following encryption domain
Site A (ASA)
10.100.20.1/32
10.100.20.2/32
Site B (Palo Alto)
10.200.19.1/32
10.200.19.2/32
in Site B's network, the networks 10.100.20.1/32 and 10.200.20.2/32 are already used, so they proposed the following VPN tunnel config
Site A
10.50.100.1/32
10.50.100.2/32
Site B
10.200.19.1/32
10.200.19.2/32
And they ask us to NAT on our side as follows:
When source
src=10.200.19.1/32 and 10.200.19.2/32
Dst = 10.50.100.1/32 and 10.50.100.2/32
Change to
src=10.200.19.1/32 and 10.200.19.2/32
Dst = 10.100.20.1/32 and 10.100.20.2/32
I understand in normal scenario we would do a policy nat to achieve this, but is this even possible with ASA for VPN tunnel when we generally do a NAT exemption for encryption domain? If yes, how do I configure this? (there are about 6 hosts on each side, I gave example of two hosts for brevity)
Solved! Go to Solution.
05-27-2021 04:40 AM
@InTheJuniverse You need to change your source IP addresses but the destination stays the same right? Example:-
nat (INSIDE,OUTSIDE) source static HOST-REAL HOST-NAT destination static SITEB-SRV SITEB-SRV
The crypto ACL needs to reference the NAT (HOST-NAT object in example above) address as traffic is translated before encryption. Repeat the NAT configuration for each host.
06-03-2021 11:45 AM
Yes, every unique NAT address/subnet you define will need defining in the crypto ACL (add another ACE) and mirroring on the other end.
05-27-2021 04:40 AM
@InTheJuniverse You need to change your source IP addresses but the destination stays the same right? Example:-
nat (INSIDE,OUTSIDE) source static HOST-REAL HOST-NAT destination static SITEB-SRV SITEB-SRV
The crypto ACL needs to reference the NAT (HOST-NAT object in example above) address as traffic is translated before encryption. Repeat the NAT configuration for each host.
05-27-2021 06:42 AM
Thank you.
What should be the local subnet in encryption domain? Real host or NATed host?
05-27-2021 06:46 AM
Use the NAT address, that's what I was referring to when I said about the crypto ACL.
06-03-2021 09:04 AM - edited 06-03-2021 10:14 AM
Thank you, Rob, seems that is working for 1 test IP we used.
The requirement is to allow certain subnet from each side, how will the configuration differ in crypto map then? Just add subnet object groups in the nat and crypto acl?
06-03-2021 11:45 AM
Yes, every unique NAT address/subnet you define will need defining in the crypto ACL (add another ACE) and mirroring on the other end.
06-17-2021 05:51 AM
This worked for me, thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide