cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2024
Views
0
Helpful
6
Replies

VPN to VPN NAT, How???

Tim Hamblin
Level 1
Level 1

Hi all,

I have a small conundrum I hope someone can help with!  We currently have several different company sites (A to Y) connectiong to our network through site-to-site VPN tunnels on to our Cisco ASA 5550 running ASA 8.2(2).  We also have a service (B) we access from our network using a site-to-site vpn tunnel established on the same firewall.  We now need to allow the company sites (A to Y) to access the service (B), and they have to be NAT'd on the way through as the IP addresses clash with the service end!!

Can anyone lead me down the correct path for setting this up??  I am obviously ok with adding the company sites (A to Y) to the existing VPN to (B), that bit is relatively simple, it is the NAT which is causing me problems.  I have allocated a /24 to use to dynamically NAT the company sites (A to Y) but am unsure how to implement this NAT.

Any help greatly appreciated!!

Blimmer   

6 Replies 6

rizwanr74
Level 7
Level 7

Hi Tim,

Please read this thread below from top to bottom and the requirment is same as yours and there is a working solution has been provided already.

https://supportforums.cisco.com/message/3261236#3261236

thanks

Rizwan Rafeek.

Hi Rizwan,

Thanks for the solution, I have tried to setup as suggested but I am getting little joy!!!  I also have a requirement for our Cisco VPN clients to access this service and this is not working either.

Can anyone break this down into simpler steps for me!!!

Thanks in advance

Blimmer

johnnykaye
Level 1
Level 1

Hello Tim,

please post configs, or a list with the sites and the ip addresses (can be made up) to give a clearer description of what you want to achieve, and where you're currently at with all this.

Best,

Johnny

Hi there,

Been stuck on other things but this is now a priority so any help greatly appreciated!!  Here is the setup I have:

A  Inside Networks: 10.128.0.0/16, 128.200.0.0/16

B  RA VPN Clients: 172.17.2.0/24

C  Site to Site VPN: 10.64.0.0/24, 10.65.0.0/24, 10.95.0.0/24, 10.96.0.0/24

D  Site to Site VPN: 10.0.110.0/24

I would like B & C above to be able to get direct access to D.  Because of other networks at D I am not able to pass C's traffic directly and need to NAT it on the firewall (will use 172.17.3.0/24 pool).  What I am unsure about is where I need to put NAT rules and where I should be allowing traffic using ADSM (not so good with CLI).  I believe all VPN's terminate in the middle of the firewall but I may be wrong??  Assuming they do then where would the access rules and NAT rule be placed in order to allow traffic back out across the D VPN??    I have allowed B & C across the VPN to D, do I need to allow D across the VPN's back to C addresses?  Will I need to do anything on the RA VPN??

I have the following interfaces on the firewall:

Outside (212.24.93.25)

Newcompany (10.128.1.1)

Oldcompany (128.200.9.3)

I have attached my sanitised config (few names and passwords removed)

Help!!!

Tim Hamblin
Level 1
Level 1

Hi all,

I have at last managed to fix this!!!

For reference if anyone has similar issues I had to allow the NAT range, not the pre-NAT addresses, across the VPN to Site D.  I then had to edit the Routers on each of the C sites to allow D to access them.

If anyone needs more detail let me know

Blimmer

Well done!

If you have the time, it would be nice to see the statements before and after, would be more useful to others stumbling across the same issues some other time.

Best,

Johnny