Multiple VPN's to different company's using the same ipaddressrange

Unanswered Question
Mar 9th, 2007

Our Hospital needs many LAN to LAN VPN's to different other hospitals. Some of the other hospitals use the same private ip-range. We have ASA5510, most other hospitals have watchguard. Is it possible to solve this with natting ? Is there a way to define different natting for every tunnel ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
kaachary Fri, 03/09/2007 - 04:50

Yes, you can have the subnet natted specifically for this tunnel.

You can use policy based natting for this.

Its always a good idea to do NAT on both the ends, to avoid complexity in the config.

*Please rate if this helped.

-Kanishka Fri, 03/09/2007 - 04:58

Could you give me a clue on how to configure this on ASA5510 ? I've been searching in asdm and as far as I can find out, In policy natting, I can filter on interface, on ipaddress and on protocol but not on tunnel ?

kaachary Fri, 03/09/2007 - 05:10

Giving you an example :

Let's say the network on both the ends is

On Watchgaurd they nat it to

On your side, say , yu nat it to

The policy nat statements would be like this:

1: Create an acl for to identify traffic :

access-list policy_nat

Define a static NAT with policy :

static (inside,outside) access-list policy_nat

And you crypto ACL would look like :

access-list cry_acl

You should be good to go !

*Please rate if helped.

-Kanishka Fri, 03/09/2007 - 05:17

Thank you for your effort.

But my configuration is somewhat different. My subnet is and I want 2 tunnels to 2 different company's that both use subnet

I don't know if the watchguards at the other end can nat their source-ip to something different.


This Discussion