cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
470
Views
0
Helpful
4
Replies

VPN tunnel and NAT

IgorHamzic
Level 1
Level 1

Hi. I'm trying to establish a LAN-to-LAN IPSec VPN tunnel from my ASA5510 to another network but hit a little snag. My counterpart on the other side informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can't create the tunnel.

I was wondering is there a way to use NAT on the VPN tunnel so that the traffic that goes from my network on the VPN tunnel gets translated and my counterpart on the other side sees this translated IP range?

Thanks in advance for any help.

1 Accepted Solution

Accepted Solutions

Hi

Yes you can use the same address as you already use for internet access.

Just update your crypto access-list to reflect the new address and make sure the third party does the same.

Jon

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Yes this is perfectly possible. What you need to do is NAT your source IP addresses to some other address and then modify your crypto access-list. So for example let says your original setup looks like this

your network 192.168.5.0/24

remote network 172.16.5.0/24

your crypto access-list would look like

access-list vpntraffic permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0

So you now NAT your 192.168.5.0/24 addresses to 192.168.20.1 ( this can be any address you and the 3rd party agree on)

You need to update your crypto access-list as such

access-list vpntraffic permit ip host 192.168.20.1 172.16.5.0 255.255.255.0

And the 3rd party needs to update their crypto map access-list as well.

HTH

Jon

I think I get how it should work. But one thing still confuses me though as I am new with firewalls. I am already NATing the same range over the outside interface so they can access the internet using the IP address of the outside interface of the ASA. Could I use that existing NAT for the VPN tunnel towards the other company?

Hi

Yes you can use the same address as you already use for internet access.

Just update your crypto access-list to reflect the new address and make sure the third party does the same.

Jon

Great, thanks for the fast response. So I can use the existing NAT or I can do a policy NAT for when the trafic goes to the other network over VPN tunnel. I think I got everything I need now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: