Hi there, can you please give me example config of this?

would you do a static nat first, then do a nat 0 on the address that its natted to ?

I would do something like this:-

SiteA

Inside host 192.168.1.1

NAT host 172.16.1.1

static (inside,outside) 172.16.1.1 access-list nat_me

access-list nat_me extended permit ip host 192.168.1.1 host 172.16.2.1

access-list no-nat extended permit ip host 172.16.1.1 host 172.16.2.1

access-list vpn-acl extended permit ip host 172.16.1.1 host 172.16.2.1

SiteB

Inside host 192.168.1.1

NAT host 172.16.2.1

static (inside,outside) 172.16.2.1 access-list nat_me

access-list nat_me extended permit ip host 192.168.1.1 host 172.16.1.1

access-list no-nat extended permit ip host 172.16.2.1 host 172.16.1.1

access-list vpn-acl extended permit ip host 172.16.2.1 host 172.16.1.1

HTH>

hi there, is this the only way of doing it?

Carl,

If you have an IP address that is the SAME at both ends, yes there is another way of doing it.

You change the IP address of one end - simple eh.

If you can't change the IP address - then yes NATTING is the ONLY way to do it.

I have implemented this on so many VPN tunnels - it's just not funny. The thing is with RFC1918 addresses you WILL clash with someone at some point.

So Carl just to be clear your 2 options:-

1) NAT - you don;t have to nat on the pix/asa - you could nat on a router before the VPN devices.

2) Change IP address ranges.

HTH>

hi andrew

i didnt get this one!!

i guess if he dose nat exmption will do the job right ?!

Hey Marwan,

Yep - it works, I have implemented this more times than I care to remember. If properly implemented - it works.