Hi, So all you need is you

Robert Falconer · ‎08-13-2014

We have a support provider that will only use public IP space for support. So, when using a VPN tunnel for this support, we'll need to configure NAT from public address we give the provider to the private address of the device they access.

The only public space we have is the range that is assigned to the outside interface of the ASA. How can I configure an address from this range to be used in a NAT configuration over VPN.

The provider will initiate a support session over a tunnel to a public IP address, which I will then need to NAT to the private address.

nkarthikeyan · ‎08-13-2014

Hi,

So all you need is you need to do NAT @ your end to a public address... say 10.0.0.10 is the host you are doing a static NAT to 12.123.123.2.... and your destination network is 194.x.x.x....

your crypto acl should be mapped to public ip address instead of real address.....

access-list crypto_acl extended permit ip host 12.123.123.2 host 194.x.x.x

!

so you need to have NAT statements and crypto_acl matching on the other side as well....

Regards

Karthik

Robert Falconer · ‎08-14-2014

Then what would the NAT statement look like for doing this over a tunnel in 8.3 code?

nkarthikeyan · ‎08-14-2014

It would be something like

nat (inside,outside) source static <local ip / object name> <mapped ip/object name> destination static <destination real ip> <destination real ip> no-proxy-arp

either you can create a object and add objects else do by mentioning ip

Regards

Karthik

NAT over VPN