02-16-2010 03:34 AM
Hello,
I have a VPN between 2 offices, I use an ASA. We use the same IP ranges so we have picked 2 different IP ranges to bring up Phase 2 of the tunnel.
We both use 192.168.x.x/24 so we decided to use:
172.19.100.x/24 (me)
172.19.101.x/24 (remote)
Now I'm on IP address 192.168.99.11/24 and need to translate this to 172.19.100.11 before it goes over the VPN, what command do I need to use?
At the other end they have added a NAT 172.19.101.11 to 192.168.0.1.
ICMP is allowed
I will try this policy NAT, not sure if it is right:
access-list inside_nat_static extended permit ip host 192.168.99.11 172.19.101.0 255.255.255.0
static (inside,outside) 172.19.100.11 access-list inside_nat_static tcp 0 0 udp 0
02-16-2010 06:46 AM
Hi,
Yes you need Policy NAT on both ends of the tunnel.
You can do it with the configuration that you have (take into account 192.168.x.x/24) on your side will be translated to a single IP, so the tunnel can only be initiated from your side.
It will be better to translate a /24 network to a /24 network STATICALLY to allow the tunnel to establish from either side.
Federico.
02-16-2010 07:01 AM
Wouldn't 192.168.99.11 translate to 172.19.101.11?
Also I'm not sure I understand - It will be better to translate a /24 network to a /24 network STATICALLY to allow the tunnel to establish from either side.
Can you give me an example?
Thanks
02-16-2010 10:01 AM
In this case you're right because you're translating 192.168.99.11 to 172.19.100.11 when it goes to 172.19.101.0/24
Now, the ACL for VPN traffic should be from 172.19.100.11 to 172.19.101.x and it should be a mirror on the other side.
Do you see the translation taking place? show ip nat translation | i 192.168.99.11
Do you see the traffic being encrypted and the tunnel getting established?
What I meant is that if you have two networks on both sides you can statically NAT both networks:
access-list NAT permit ip x.x.x.x/24 y.y.y.y/24
static (inside,outside) 1.1.1.0 access-list NAT netmask 255.255.255.0
Instead of just NATing one IP address.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide