VPN tunnel and NAT

Answered Question
Aug 31st, 2007

Hi. I'm trying to establish a LAN-to-LAN IPSec VPN tunnel from my ASA5510 to another network but hit a little snag. My counterpart on the other side informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can't create the tunnel.

I was wondering is there a way to use NAT on the VPN tunnel so that the traffic that goes from my network on the VPN tunnel gets translated and my counterpart on the other side sees this translated IP range?

Thanks in advance for any help.

Correct Answer by Jon Marshall about 9 years 6 months ago

Hi


Yes you can use the same address as you already use for internet access.


Just update your crypto access-list to reflect the new address and make sure the third party does the same.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 08/31/2007 - 13:30

Hi


Yes this is perfectly possible. What you need to do is NAT your source IP addresses to some other address and then modify your crypto access-list. So for example let says your original setup looks like this


your network 192.168.5.0/24

remote network 172.16.5.0/24


your crypto access-list would look like


access-list vpntraffic permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0


So you now NAT your 192.168.5.0/24 addresses to 192.168.20.1 ( this can be any address you and the 3rd party agree on)


You need to update your crypto access-list as such


access-list vpntraffic permit ip host 192.168.20.1 172.16.5.0 255.255.255.0


And the 3rd party needs to update their crypto map access-list as well.


HTH


Jon

IgorHamzic Fri, 08/31/2007 - 14:07

I think I get how it should work. But one thing still confuses me though as I am new with firewalls. I am already NATing the same range over the outside interface so they can access the internet using the IP address of the outside interface of the ASA. Could I use that existing NAT for the VPN tunnel towards the other company?

Correct Answer
Jon Marshall Fri, 08/31/2007 - 14:14

Hi


Yes you can use the same address as you already use for internet access.


Just update your crypto access-list to reflect the new address and make sure the third party does the same.


Jon

IgorHamzic Fri, 08/31/2007 - 14:41

Great, thanks for the fast response. So I can use the existing NAT or I can do a policy NAT for when the trafic goes to the other network over VPN tunnel. I think I got everything I need now.

Actions

This Discussion