adding more than one global inside

Tshi M · ‎03-27-2007

We need to establish two site-to-site VPN sessions with different vendors. The problem is that each vendor is requesting us to use a specific IP range that they are providing to us and want us to statically NAT static (inside,outside) each worstation on our side that will connect to their network.

I am relunctant to do this because the config will become cumbersome but I might have to do it anyway.

This is the first time I have this type of request and was wondering if I can use global (inside) for each private network that we will connect to? Example is attached.

We also have some site-to-site VPNs that don't require this type of setting

bthibode · ‎03-27-2007

Hello,

The easiest way to get this done, in my opinion, would be to use the static command in your policy nat. Lets say that your internal network is 172.16.1.0/24 and they want you to show up as 192.168.5.0/24. We'll also say the remote network you're trying to reach is 10.15.15.0/24. In that case, you would do something like this:

access-list policy_nat permit ip 172.16.1.0 255.255.255.0 10.15.15.0 255.255.255.0

static (inside,outside) 192.168.5.0 access-list policy_nat

This will translate your network to the desired network only when you try to reach the remote network across the VPN.

Hope this helps!

Bryan

Tshi M · ‎03-28-2007

I am a bit concerned using that since I already have an access-list nonat and aslo have nat (inside) 0 access-list nonat.

The current access-list nonat is used for the existing L-2-L that we have.

Tshi M · ‎04-12-2007

This posting was helpful since it leads me to my solution. However, the goal was to do a one on one static nat translation.

Thanks,