Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
6
Replies

is this VPN Tunnel setup over NAT possible?

Go to solution
InTheJuniverse
Level 1
Level 1

‎05-27-2021 03:26 AM

We are trying to form a VPN tunnel with following encryption domain

 

Site A (ASA)

10.100.20.1/32

10.100.20.2/32

 

Site B (Palo Alto)

10.200.19.1/32

10.200.19.2/32

 

in Site B's network, the networks 10.100.20.1/32 and 10.200.20.2/32 are already used, so they proposed the following VPN tunnel config

 

Site A

10.50.100.1/32

10.50.100.2/32

 

Site B

10.200.19.1/32

10.200.19.2/32

 

And they ask us to NAT on our side as follows:

 

When source

src=10.200.19.1/32 and 10.200.19.2/32

Dst = 10.50.100.1/32 and 10.50.100.2/32

 

Change to

src=10.200.19.1/32 and 10.200.19.2/32

Dst = 10.100.20.1/32 and 10.100.20.2/32

 

I understand in normal scenario we would do a policy nat to achieve this, but is this even possible with ASA for VPN tunnel when we generally do a NAT exemption for encryption domain? If yes, how do I configure this? (there are about 6 hosts on each side, I gave example of two hosts for brevity)

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-27-2021 04:40 AM

@InTheJuniverse You need to change your source IP addresses but the destination stays the same right? Example:-

 

nat (INSIDE,OUTSIDE) source static HOST-REAL HOST-NAT destination static SITEB-SRV SITEB-SRV

The crypto ACL needs to reference the NAT (HOST-NAT object in example above) address as traffic is translated before encryption. Repeat the NAT configuration for each host.

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to InTheJuniverse

‎06-03-2021 11:45 AM

@InTheJuniverse 

Yes, every unique NAT address/subnet you define will need defining in the crypto ACL (add another ACE) and mirroring on the other end.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎05-27-2021 04:40 AM

@InTheJuniverse You need to change your source IP addresses but the destination stays the same right? Example:-

 

nat (INSIDE,OUTSIDE) source static HOST-REAL HOST-NAT destination static SITEB-SRV SITEB-SRV

The crypto ACL needs to reference the NAT (HOST-NAT object in example above) address as traffic is translated before encryption. Repeat the NAT configuration for each host.

0 Helpful

Go to solution
InTheJuniverse
Level 1
Level 1
In response to Rob Ingram

‎05-27-2021 06:42 AM

Thank you.

 

What should be the local subnet in encryption domain? Real host or NATed host?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to InTheJuniverse

‎05-27-2021 06:46 AM

Use the NAT address, that's what I was referring to when I said about the crypto ACL.

0 Helpful

Go to solution
InTheJuniverse
Level 1
Level 1
In response to Rob Ingram

‎06-03-2021 09:04 AM - edited ‎06-03-2021 10:14 AM

Thank you, Rob, seems that is working for 1 test IP we used.

 

The requirement is to allow certain subnet from each side, how will the configuration differ in crypto map then? Just add subnet object groups in the nat and crypto acl?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to InTheJuniverse

‎06-03-2021 11:45 AM

@InTheJuniverse 

Yes, every unique NAT address/subnet you define will need defining in the crypto ACL (add another ACE) and mirroring on the other end.

0 Helpful

Go to solution
InTheJuniverse
Level 1
Level 1

‎06-17-2021 05:51 AM

This worked for me, thank you very much.

0 Helpful
Customers Also Viewed These Support Documents