ASA 5500 Site to Site VPN with NAT

Unanswered Question

Hi, I need some advice! We have a client that is asking us to provide a NAT IP Address for one of our devices but over a Site to Site VPN, basically their internal subnet clashes with ours and they are expecting to connect to our device over the VPN using an internet presented NAT IP.


We have an ASA5510 with 7.0(5), this devices terminates all VPN connections as well as providing the NAT for our internal LAN. I can't see how it is possible for me to provide what they want with only the ASA in place, I have studied the VPN configuration and every way that I turn makes no sense at all. I really want to be sure that I am right on this. I hope this makes sense, Many Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 06/20/2007 - 06:32
User Badges:
  • Green, 3000 points or more

If I understand you correctly, you want the remote site to connect to an internal server with it's public ip address, but over the vpn tunnel. This is possible. Let's say you have something like this in your headend ASA, where 192.168.1.1 is the internal server they need access to...


static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255


Make sure the traffic is defined as interesting in your crypto acl...


access-list outside_cryptomap extended permit ip 192.168.1.1


Also, make sure NOT to exempt this traffic from nat...Does that make sense?

acomiskey Wed, 06/20/2007 - 06:47
User Badges:
  • Green, 3000 points or more

Also make sure the traffic is defined as interesting on the remote end, but it would be from their local subnet to 1.1.1.1, not 192.168.1.1.

Actions

This Discussion