VPN Tunnels with NAT

Answered Question
Feb 24th, 2007

I have read over several of the messages on the subject and still think I am missing something, so I am looking for assistance.

Basically, I am in the process of setting up multiple VPN tunnels to various external connections. We are trying to keep the external "private" addresses out of our core network using NAT.

I can get the Tunnel to work without issue using the NONAT ACL; however, this requires that our internal network is aware of their external "private" addresses. Our goal is to enter an Inside address which is NAT'd to the external "private" address and then transported via the VPN tunnel. Basically hiding the external "private" address from our internal systems as they would appear as thought the connection was one of our own networks.

The reverse is true coming from their external "private" network. Any sourced information from their external "private" network would be translated into our "private" address space upon arrival.

Can this be done? I have attached a diagram, which might help.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 7 months ago

Hi

Yes this should be possible. Lets say you allocate 10.112.2.250 as the address you are using to present the external server 192.168.10.10.

On your ASA device

static (outside,inside) 10.112.2.250 192.168.10.10 netmask 255.255.255.255

You will need to make sure that when your system tries to connect to 10.112.2.250 that it gets routed to the ASA device.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sat, 02/24/2007 - 15:04

Hi

Yes this should be possible. Lets say you allocate 10.112.2.250 as the address you are using to present the external server 192.168.10.10.

On your ASA device

static (outside,inside) 10.112.2.250 192.168.10.10 netmask 255.255.255.255

You will need to make sure that when your system tries to connect to 10.112.2.250 that it gets routed to the ASA device.

HTH

Jon

gpuckett63 Mon, 02/26/2007 - 18:10

Entered the configuration you recommended above and it worked great. Thanks for your help.

Actions

This Discussion