cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1808
Views
0
Helpful
6
Replies

Site to Site - Policy NAT VPN Setup (remote scheme issue)

Gregory Engle
Level 1
Level 1

I currently have a Site 2 Site VPN Tunnel with a company where the destination Scheme is (Company A) 192.168.1.0 /24. 

I now have a situation where I need to setup another VPN  connection to (Company B) 192.168.1.0 /24. 

My side:

Home Company:       172.20.3.0 /24

Company A:               192.168.1.0 /24                   

Company B:               192.168.1.0 /24  ** This side doesn't really have an IT staff to attempt any Policy NAT, etc **

Problem:  I currently have a VPN Tunnel between Home Company  ----> Company A ** UP And RUNNING FOR A LONG TIME !!!!  **

                    I need to setup a VPN Tunnel between Home Company -----> Company B

                    ***** NOTE ***** - Company A & Company B will never need to communicate with each other.

Can someone give me a little guidance on best practice to make this work without Company B changing IP Scheme within their LAN?

Thanks,

PolicyNAT_VPN.jpg

6 Replies 6

nkarthikeyan
Level 7
Level 7

Hi Gregory,

You can do that with the NAT/PAT in Site to Site. See for for example

Customer B is 192.168.1.0/24 should get NAT to say 10.168.1.0/24 when it comes in the Site to Site tunnel. So that they can operate in the same LAN subnet. Only thing is in the VPN firewall they need to make these changes.

Your site IP 192.168.10.0/24 - Cust B (10.168.1.0/24) will be the site to site policy.

1st thing they have to NAT their subnet for the S2S VPN tunnel tyraffic to a different IP. Then You VPN ACL also will be pointing to the NAT/PAT range. So that communication will happen.

Please do rate if the given information helps.

By

Karthik

AdmShatan
Level 1
Level 1

K. Natarajan has a good plan there.  I've had to do this boh ways, and I can tell you that PAT or Policy NAT will work.

We have a vender that we VPN to, to submit orders to.  Since they already had a client with our IP scheme, we implemented a policy NAT.  We only had a few machines that accessed those orders, so we created a policy NAT that translated those address for a group of addresses to send them.  They in turn sent back to the NAT addresses, which our ASA translated back to the original machines.

I have Poicy NATs in place for Tunnels that I share the same private IP scheme's with.  However, in this scenario, My COMPANY doesn't share the same IP Scheme.  I have another Tunnel setup, where the remote side of that tunnel shares the same space.

Here is my example:

My Network:  172.20.3.0 /24

Company A:  192.168.1.0 /24 *** Tunnel is up and running for a while ***

Company B:  192.168.1.0 /24 *** QUESTIONS ***
Company C:  172.20.3.0 /24   *** I Policy NATed to alter my side to be 10.10.3.63 and this is working. ***

I am just a little confused on the setup for Company B Policy NAT for this scenario.  Please see new drawing that shows my 3 Tunnels as listed above.  Company B is the one I'm concerned with as I do not have 192.168.1.0 /24 local to my facility, but I do have 192.168.1.0 over another Tunnel.


Thanks for all responses,

Gregory,

     The work you did to make the scheme work for Company C is the same work that company B needs to do, or, you can change your space, and reconfigure all your tunnels.

That, or find out the subset of addresses you need to hit at company A and B.  For example:

Company A you need to get to servers at 192.168.1.1-20

Company B you need to get to servers at 192.168.1.100-105

That way, you can subnet the protected space down, and traffic can travel over the apporpriate vpn.  This only works if the subspaces don't overlap.

Hi Gregory,

In customer B end they have to NAT the IP and send to your tunnel. That is the option over there to solve tis issue....

Their original LAN IP will not get changed for their internal users. Only change they have to do it in their firewall for lan ip to get translated with a different ip.

Please do rate if thr given information helps.

By

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: