11-20-2013 06:59 AM
Hi Everybody.
I have question regarding the Site-2-Site VPN and NAT.
HQ is connected to Partner and Co-location through site to site VPN (with two diffrent tunnels). Co-location is connected to the HQ through site-2-site VPN.
HQ:
Co-location:
Partner:
Basically what I want to achieve is to do the following:
All traffic from co-location with destination to Partner should go through HQ and the source IP needs to be changed. So it looks like that the traffic is originates from the HQ dmz zone on the Partner side.
How can I achieve that?
HW: Cisco ASA
Solved! Go to Solution.
11-20-2013 04:42 PM
Hello Roger,
The configuration that you need will be on the HQ ASA.
First of all configure the ASA so that it would allow traffic to leave through the same interface that it came through:
same-security-traffic permit intra-interface
then you would need to create a nat that to an IP from that range (this would work if the partner doesn't need to go to the colocation, just from colo to the partner):
access-list policy-based-nat1 permit ip
nat (
global (
This is asuming that you already have an interesting traffic rule (crypto map ACL permit) from your DMZ to the colocation.
For a more specific example, see below:
Colocation network: 192.168.1.0/24
HQ DMZ Network: 10.10.10.0/24
Partner Network: 172.16.10.0/24
same-security-traffic permit intra-interface
access-list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
nat (outside) 100 access-list policy-based-nat1
global (outside) 100 10.10.10.253
access-list vpn10 permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
crypto map vpn 10 match address vpn
If the partner needs to access the colocation as well (bidirectional access) you can't use the DMZ's network as it needs to be a one to one translation and you would need the same amount of addresses to be translated as you have on the colocation.
However it would be possible if your DMZ network is larger than the colocation (like DMZ being a /16 and colo being /24) and you can segregate a subnet just for that nat.
Hope this helps resolve the issue.