Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
784
Views
0
Helpful
3
Replies

VPN with NAT setup

mjsully
Level 1
Level 1

‎06-23-2015 11:36 AM

I need to setup a L2L IPSEC tunnel between 2 ASA firewalls. The communication will be bi-directional. The encrypted traffic will consist of a single host in a DMZ communicating with a single remote host. Let's assume host A at site A is 10.10.10.20 and remote host B at site B is 192.168.100.10. I need host A to be translated to address 172.16.10.20 (this will actually be a public IP) only when it involves the VPN. Remote host B does not need to be NAT'd itself, but it will need to point to host A 172.16.10.20 NAT when it initiates. How do I setup the NAT at Site A so it only NATs for the VPN, and not for when it sends regular outbound traffic? Site A has an ASA 5520 running 8.2 code. The 10.10.10.20 server sits behind an interface named DMZ and the crypto map is bound to the "outside" interface. Thank you
 

Labels:
0 Helpful
3 Replies 3

rizwanr74
Level 7
Level 7

‎06-29-2015 06:52 AM

Hi mjsully,

 

You needed a static-policy nat.

 

access-list NET1 permit ip host 10.10.10.20 host 192.168.100.10


static (inside,outside) 172.16.10.20 access-list NET1

 

Now you include host ip:172.16.10.20  into crypto ACL.

 

thanks

Rizwan Rafeek

 

 

0 Helpful

mjsully
Level 1
Level 1
In response to rizwanr74

‎06-29-2015 06:52 AM

Thanks very much for that help. One more question. What if I wanted to add a 2nd VPN tunnel, as my example above is for testing. Once that it setup, I also need to setup a 2nd VPN for production traffic. The local host at Site A will remain the same, 10.10.10.20. But the remote destination will be a different IP, it will be 192.168.100.11 (instead of 192.168.100.10). My question is can my local host use the same NAT address 172.15.10.20 with the 2nd tunnel as it does with the first one? Can a static NAT use an access-list that has more than one host in it, meaning can I simply add the following and have 2 entries for my static ACL?:

access-list NET1 permit ip host 10.10.10.20 host 192.168.100.11

 

0 Helpful

rizwanr74
Level 7
Level 7
In response to mjsully

‎06-29-2015 12:06 PM

Hi there,

 

"My question is can my local host use the same NAT address 172.15.10.20 with the 2nd tunnel as it does with the first one?"

 

Yes, you can.

 

"Can a static NAT use an access-list that has more than one host in it, meaning can I simply add the following and have 2 entries for my static ACL?"

 

Yes, you can and change only the remote host address in the ACL NET1.

Hope that answers your questions.

 

Thanks

Rizwan Rafeek.

 

 

0 Helpful
Customers Also Viewed These Support Documents