VPN client pool NAT

Riju Kalarickal · ‎11-26-2010

OS - 8.3

vpn client pool - 10.10.10.0\24

Remote network across L2L - 20.20.20.0/24

The remote network (20.20.20.0/24) accepts traffic only from 30.30.30.0/24

I cannot use 30.30.30.0/24 as my dhcp pool because it is too small and I have a much wider userbase.

How do I do the translation to accomplish this?

Vikas Saxena · ‎11-26-2010

Go through this and modify your configuration as needed.

https://supportforums.cisco.com/docs/DOC-11640

Riju Kalarickal · ‎11-26-2010

I have already seen this. There is no translation required in the example shown whereas I need NAT translation.

I want vpn client pool (10.10.10.0/24) to translate to accepted IP by remote ASA (30.30.30.30/32) and no-nat tunnel to Remote ASA L2L(20.20.20.0/24)

Riju Kalarickal · ‎12-01-2010

I am stuck here. any idea how to achieve this?

praprama · ‎12-02-2010

Hi,

The commands would be as below:

object net POOL

network 10.10.10.0 255.255.255.0

object net REM_L2L

network 20.20.20.0 255.255.255.0

object host NAT_IP

host 30.30.30.30

nat (outside,outside) source dynamic POOL NAT_IP destination static REM_L2L REM_L2L

this should NAT your VPN clients to 30.30.30.30 when accessing the remote L2L. I am assuming you have all the U-turning commands already in place based on the above document. Please note that the crypto ACL in this case would be:

Local ASA:

from 30.30.30.30 to 20.20.20.20/24

On remote end:

from 20.20.20.0/24 to 30.30.30.30.

On the split tunnel ACL for VPN client (if there is one), ensure to add the network 20.20.20.0/24.

Let me know how it goes!!

Cheers,

prapanch