Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
0
Helpful
3
Replies

VPN and NAT with 3 ASA

ktsprg
Level 1
Level 1

‎10-19-2010 05:14 AM

I have this situation:

192.168.1.0(inside) on ASA1 ===VPN1 tunnel=== 192.168.0.0(inside) on ASA2 ===VPN2 tunnel === 10.0.0.0(inside) on ASA3

VPN1 a nd VPN2 are configured on same outside interface in ASA2 (212.65.218.190)

VPN1 connect internal networks 192.168.1.0 and 192.168.0.0 only

VPN2 connect internal networks 192.168.0.0 and 10.0.0.0 only

ASA3 is in HQ and I have limited possibilities to configure it. There are connected another 10 site to ASA3 and one of this site has 192.168.1.0 (may be VPN3)

So, I would like traffic from IP 192.168.1.142(on ASA1) to 10.10.1.1(ASA3). Can I do some NAT in ASA1 or ASA2 (or both) that IP 192.168.1.142 will be NATed to for example 192.168.0.142(internal of ASA2) ? System 10.10.1.1 will see 192.168.0.142 not real 192.168.1.142.

Can somebody help me ? I try to find similar example but without succes.

Josef

Labels:
0 Helpful
3 Replies 3

Yudong Wu
Level 7
Level 7

‎10-19-2010 11:00 AM

Here is an close example which I found.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Basically, you need to do the following.

1. on ASA1, you need and an entry in ACL for both crypto map and Nat 0 to include traffic between 192.168.1.142 to 10.10.1.1

2. on ASA3, you need and an entry in ACL for both crypto map and Nat 0 to include traffic between  10.10.1.1 to 192.168.1.142

3. on ASA2, you need the following

- same-security-traffic permit intra-interface

- in ACL of crypto map for tunnel 1, you need permit 10.10.1.1 to 192.168.1.142

- in ACL of crypto map for tunnel 2, you need permit 192.168.1.142 to 10.10.1.1

0 Helpful

ktsprg
Level 1
Level 1
In response to Yudong Wu

‎10-19-2010 11:27 PM

Thanks for your reply.

May be that I I don't exlain exactly my situation because

entry in ACL for both crypto map and Nat 0 to include traffic between  10.10.1.1 to 192.168.1.142

is not suitable. This is may situation more detail:

192.168.1.0(inside) =VPN1= 192.168.0.0(inside) =VPN2= 10.0.0.0(inside) =VPN4= 192.168.1.0(inside)

      ASA1                                 ASA2                                       ASA3                                   AS4

I need connection from system 192.168.1.142 from inside LAN of ASA1 to system 10.10.1.1 in inside LAN of ASA3.

ASA3 has connection to whole LAN 192.168.1.0 by tunnel VPN4.

My questin is if possible to do NATed connection (LAN overlap) for one system from inside LAN of ASA1 to inside LAN of AS3.

192.168.1.142 ------------------------NATed to 192.168.0.142------------------------>10.10.1.1

system 10.10.1.1 will comunicate with 192.168.0.142 which is NATed in ASA2 or ASA1 back to 192.168.1.142

192.168.1.142 <-----------------------192.168.0.142 NATed back to 192.168.1.142 <-------------------- 10.10.10.1.1

Josef

0 Helpful

Yudong Wu
Level 7
Level 7
In response to ktsprg

‎10-20-2010 08:51 AM

Ok, You did not mention that you have overlap IP here.

Yes, you can NAT 192.168.1.142  to 192.168.0.142 at ASA1.

To be clarify, both VPN1 and VPN2 are terminated on the same interface on ASA2.

If this is the case, the method in my first post is still applied since you have a U-turn traffic here.

Since NAT go before crypto, in your crypto map ACL, you have to use 192.168.0.142 instead of 192.168.1.142.

Also, do not include 192.168.1.142 to 10.10.1.1 in the ACL for NAT 0.

one more thing, since 192.168.0.142 is in the same subnet of ASA2 inside interface, I am not sure if it might cause anything or not. You should not disable arp proxy on ASA2 inside interface (enabled by default if I remember correctly)

If it still does not work, I would like to suggest ot use another NATed IP.

0 Helpful
Customers Also Viewed These Support Documents