Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
0
Helpful
2
Replies

Site to Site VPN: Create NAT in ASA 5525

johntampac
Level 1
Level 1

‎09-27-2014 02:32 AM

Hello Guys,

It's my first time to post here and not an expert is cisco products so please bear with me.


I have this problem wiht our Site to Site VPN our client wanted us to make a NAT with our current
network setup cz it very hard for thim make ajustments. so basicallly out netowk layout is that
we have local network with multiple vlans and subnets, we have a local IP subnets of 172.1.X.0/24

LocalLAN     - CORESwitch -     ASA 5524         - Internet
(172.1.x.0/24)      (172.1.1.1)    (Inside: 172.1.0.1)
                                                     (Outside: 88.88.88.88) not reall IP

now our clients need us to use any of the 10.11.x.0/24 subnet for the site to site vpn. They asked to create a nat
translating my 172.1.x.0/24 netwotk to 10.11.x.0/25 to initiate the vpn. My question is that from my current network setup. Where do I setup NAT? I know this is possile to some versions of cisco's layer 3 swithes but the one that we have does have this feature. I Know that ASA fireall can do NATTING but steps to do it, I'm not so sure. Your help will be greatly appreciated.

Thank you.

Regards
John


 

 

 

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-27-2014 09:50 AM

So you need to first setup a site-site VPN. We define incoming traffic as "interesting" with an access-list and then call that access-list with a cryptomap to make it get encrypted and directed to the remote peer IP address.

Most often we exempt the "interesting" traffic from NAT. However when you do want to change it (as in your case) we also can do this NAT on the ASA. We create an object for your local networks and an associated NAT rule for traffic destined for the partner's network(s).

There's a pretty good example of this type of use case on this page: link. If you're using ASA 8.3 or higher, the NAT commands would need to be adjusted to account for the newer syntax.

0 Helpful

johntampac
Level 1
Level 1
In response to Marvin Rhoads

‎09-27-2014 12:10 PM

Hello Marvin,

Thank you for your respond.

In my case, in creating the VPN what is your source network?

Thank you.

Regards

John

 

0 Helpful
Customers Also Viewed These Support Documents