NAT from VTI tunnel to Inside

JMassie · ‎08-15-2024

I have a VTI tunnel with a client.
I want to translate their address (VTI, inside)...something similar to
nat (outside, inside) source dynamic CLIENT_SOURCE NEW_ADDRESS

Is this viable, or am I going to need to employ twice nat, since I cannot source the nat translation from the VTI interface?

MHM Cisco World · ‎08-15-2024

check below

MHM

JMassie · ‎08-15-2024

These are tunnels that come one way into my network. Im wanting to translate their source address into my internal scheme.

Is this too much? or can I just go (OUTSIDE, INSIDE) dynamic , like I do for our static crypto maps?

----------------

object network DESTINATION_ADDRESS
host x.x.x.x
!
object network SRC_REAL_ADDRESS
host x.x.x.x
!
object network SRC_TRANSLATED_ADDRESS
host x.x.x.x
!
object service DEST_PORT
service tcp destination eq 1234
!
object service SRC_PORT
service tcp source range 1025 65535
!
nat (any,INSIDE) source static SRC_REAL_ADDRESS SRC_TRANSLATED_ADDRESS service SRC_PORT SRC_PORT destination static DESTINATION_ADDRESS DESTINATION_ADDRESS service DEST_PORT DEST_PORT

MHM Cisco World · ‎08-15-2024

friend
policy VPN need twice NAT (exemption NAT) where VTI router based VPN not need this NAT

MHM

JMassie · ‎08-15-2024

Thank you for the explanation.

If the client is coming from an address I cannot route through my network, how would I NAT their address from the VTI on my ASA to my inside network?

MHM Cisco World · ‎08-15-2024

it better if you can do NAT in peer not in your ASA
but if you cannot that then
I think your NAT work
run it and do show nat <<- see the hit count
nat (any,INSIDE) source static SRC_REAL_ADDRESS SRC_TRANSLATED_ADDRESS service SRC_PORT SRC_PORT destination static DESTINATION_ADDRESS DESTINATION_ADDRESS service DEST_PORT DEST_PORT

JMassie · ‎08-15-2024

I will lab it tonight and get back to the thread. Thank you so much for the help so far.