02-01-2014 08:34 PM
Hello All,
I have a site to site VPN setup (both sites have Cisco ASA's) where my internal network is 192.168.1.0/24 and the other site's internal network happens to have the exact same internal network. Is there a way that I can NAT my internal address to 172.18.1.0/24 and have that work? It should then allow both sites to successfully communicate. Thank you.
Solved! Go to Solution.
02-02-2014 05:58 AM
Hi,
You will have to NAT at both ends of the L2L VPN connection. This is because even if you NAT the other end to a different network it will still mean that this site would have to connect to a destination address that is seemingly in its own network and the connections would fail.
The configuration format depends on your ASAs software level
Software 8.2 (and below)
access-list L2LVPN-POLICYNAT remark Policy NAT for L2L VPN
access-list L2LVPN-POLICYNAT permit
static (inside,outside)
Software 8.3 (and above)
object network LAN
subnet
object network LAN-NAT
subnet
object network REMOTE
subnet
nat (inside,outside) source static LAN LAN-NAT destination static REMOTE REMOTE
Do notice to use the correct networks in the above statements. The destination network in the configurations is naturally the NAT network the other site is using.
In the same say you will have to make sure that your L2L VPN connections Crypto ACL uses the local NAT network as the source and the remote NAT network as the destination.
Hope this helps
- Jouni
02-02-2014 05:58 AM
Hi,
You will have to NAT at both ends of the L2L VPN connection. This is because even if you NAT the other end to a different network it will still mean that this site would have to connect to a destination address that is seemingly in its own network and the connections would fail.
The configuration format depends on your ASAs software level
Software 8.2 (and below)
access-list L2LVPN-POLICYNAT remark Policy NAT for L2L VPN
access-list L2LVPN-POLICYNAT permit
static (inside,outside)
Software 8.3 (and above)
object network LAN
subnet
object network LAN-NAT
subnet
object network REMOTE
subnet
nat (inside,outside) source static LAN LAN-NAT destination static REMOTE REMOTE
Do notice to use the correct networks in the above statements. The destination network in the configurations is naturally the NAT network the other site is using.
In the same say you will have to make sure that your L2L VPN connections Crypto ACL uses the local NAT network as the source and the remote NAT network as the destination.
Hope this helps
- Jouni
02-02-2014 11:35 AM
Thank you, this has been very helpful. Hopefully I won't break anything!
- Gabe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide