03-09-2007 03:10 AM - edited 02-21-2020 02:54 PM
Our Hospital needs many LAN to LAN VPN's to different other hospitals. Some of the other hospitals use the same private ip-range. We have ASA5510, most other hospitals have watchguard. Is it possible to solve this with natting ? Is there a way to define different natting for every tunnel ?
03-09-2007 04:50 AM
Yes, you can have the subnet natted specifically for this tunnel.
You can use policy based natting for this.
Its always a good idea to do NAT on both the ends, to avoid complexity in the config.
*Please rate if this helped.
-Kanishka
03-09-2007 04:58 AM
Could you give me a clue on how to configure this on ASA5510 ? I've been searching in asdm and as far as I can find out, In policy natting, I can filter on interface, on ipaddress and on protocol but not on tunnel ?
03-09-2007 05:10 AM
Giving you an example :
Let's say the network on both the ends is 192.168.1.0/24.
On Watchgaurd they nat it to 192.168.2.0/24.
On your side, say , yu nat it to 192.168.3.0/24
The policy nat statements would be like this:
1: Create an acl for to identify traffic :
access-list policy_nat 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Define a static NAT with policy :
static (inside,outside) 192.168.3.0 access-list policy_nat
And you crypto ACL would look like :
access-list cry_acl 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
You should be good to go !
*Please rate if helped.
-Kanishka
03-09-2007 05:17 AM
Thank you for your effort.
But my configuration is somewhat different. My subnet is 172.18.5.0/24 and I want 2 tunnels to 2 different company's that both use subnet 192.168.150.0/24.
I don't know if the watchguards at the other end can nat their source-ip to something different.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: