Multiple VPN's to different company's using the same ipaddressrange

Unanswered Question
Mar 9th, 2007

Our Hospital needs many LAN to LAN VPN's to different other hospitals. Some of the other hospitals use the same private ip-range. We have ASA5510, most other hospitals have watchguard. Is it possible to solve this with natting ? Is there a way to define different natting for every tunnel ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
Loading.
kaachary Fri, 03/09/2007 - 04:50

Yes, you can have the subnet natted specifically for this tunnel.

You can use policy based natting for this.

Its always a good idea to do NAT on both the ends, to avoid complexity in the config.

*Please rate if this helped.

-Kanishka

jlievens@hhr.be Fri, 03/09/2007 - 04:58

Could you give me a clue on how to configure this on ASA5510 ? I've been searching in asdm and as far as I can find out, In policy natting, I can filter on interface, on ipaddress and on protocol but not on tunnel ?

kaachary Fri, 03/09/2007 - 05:10

Giving you an example :

Let's say the network on both the ends is 192.168.1.0/24.

On Watchgaurd they nat it to 192.168.2.0/24.

On your side, say , yu nat it to 192.168.3.0/24

The policy nat statements would be like this:

1: Create an acl for to identify traffic :

access-list policy_nat 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Define a static NAT with policy :

static (inside,outside) 192.168.3.0 access-list policy_nat

And you crypto ACL would look like :

access-list cry_acl 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

You should be good to go !

*Please rate if helped.

-Kanishka

jlievens@hhr.be Fri, 03/09/2007 - 05:17

Thank you for your effort.

But my configuration is somewhat different. My subnet is 172.18.5.0/24 and I want 2 tunnels to 2 different company's that both use subnet 192.168.150.0/24.

I don't know if the watchguards at the other end can nat their source-ip to something different.

Actions

This Discussion