cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1505
Views
0
Helpful
5
Replies

Site-2-Site VPN and NAT

Roger Base
Level 1
Level 1

Hi Everybody.

I have question regarding the Site-2-Site VPN and NAT.

HQ  is connected to Partner and Co-location through site to site VPN (with  two diffrent tunnels). Co-location is connected to the HQ through  site-2-site VPN.

HQ:
Co-location:
Partner:

Basically what I want to achieve is to do the following:

All  traffic from co-location with destination to Partner should go through  HQ and the source IP needs to be changed. So it looks like that the  traffic is originates from the HQ dmz zone on the Partner side.

How can I achieve that?

HW: Cisco ASA

2 Accepted Solutions

Accepted Solutions

elialope
Level 1
Level 1

Hello Roger,

The configuration that you need will be on the HQ ASA.

First of all configure the ASA so that it would allow traffic to leave through the same interface that it came through:

same-security-traffic permit intra-interface

then you would need to create a nat that to an IP from that range (this would work if the partner doesn't need to go to the colocation, just from colo to the partner):

access-list policy-based-nat1 permit ip

nat ()   access-list policy-based-nat1

global ()

This is asuming that you already have an interesting traffic rule (crypto map ACL permit) from your DMZ to the colocation.

For a more specific example, see below:

Colocation network: 192.168.1.0/24

HQ DMZ Network: 10.10.10.0/24

Partner Network: 172.16.10.0/24

same-security-traffic permit intra-interface

access-list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

nat (outside) 100  access-list policy-based-nat1

global (outside) 100 10.10.10.253

access-list vpn10 permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0

crypto map vpn 10 match address vpn

If the partner needs to access the colocation as well (bidirectional access) you can't use the DMZ's network as it needs to be a one to one translation and you would need the same amount of addresses to be translated as you have on the colocation.

However it would be possible if your DMZ network is larger than the colocation (like DMZ being a /16 and colo being /24) and you can segregate a subnet just for that nat.

Hope this helps resolve the issue.

View solution in original post