VPN and NAT ASA 5510. NAT to a public IP to avoid overlapping private.

risenshine4th · ‎03-12-2009

Customer has the same remote networks as some of my local networks. What is the best way to apply Nat accross the tunnel?

172.16.x.x

local 192.168.0.0

Remote 192.168.0.0

172.17.x.x

local 192.168.0.0

Remote 192.168.0.0

LAN on both sides has 192.168.0.0 /24

Currently, I have several tunnels that Nat Networks and hosts to 10.50.70.10. I would like to to understand how to properly NAT the tunnel traffic in the same manner using the ASA.

I've looked at documentation but it seems confusing.

Does anyone have a simple CLI config or ASDM example that may provide a working config I can play with?

Can I use the same NAT for multiple tunnels? This works on another device. It is like using PAT across the tunnel.

192.168.0.0 translated to 10.50.70.10

This isn't allowed in static policy Nat.

Whom ever answers this will get ratings from the several hundred posts with the same questions.

Ivan Martinon · ‎03-12-2009

Here what I would do:

access-list NATVPN permit ip 192.168.0.0 255.255.255.0 172.17.0.0 255.255.255.0

ONE SIDE

static (inside,outside) 172.16.0.0 access-list NATVPN

crypto acl should look

access-list crypto permit ip 172.16.0.0 255.255.255.0 172.17.0.0 255.255.0.0

(OR HOWEVER THE MASK IS)

REMOTE SITE

access-list NATVPN permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0

ONE SIDE

static (inside,outside) 172.17.0.0 access-list NATVPN

crypto acl should look

access-list crypto permit ip 172.17.0.0 255.255.255.0 172.16.0.0 255.255.0.0

Give that a shot.

risenshine4th · ‎03-16-2009

I'm working on trying this out. I feel confident about it and will let you know my results.

Do you know of anyway to force a subnet...for example 192.168.0.0 /24 to translate to a host... 10.70.50.2? This could be 172.17.0.2 as in the above issue. I'm looking to avoid the overlapping 192.168.0.0 networks.

Basically I'm looking for a many to one nat/pat to use across the tunnel.