Doing NAT for VPN clients going over L2L tunnel

Answered Question
Mar 17th, 2009

Hi.I have the following situation in my network.We have a need for users who connect to our site with VPN clients to connect to another site via a L2L tunnel. The problem is that I need to NAT the addresses from the VPN client pool to another range before going over the L2L tunnel because on the other side we have overlapping networks.

I have been trying to do NAT along the following lines with little success:

ACL for NAT of VPN pool:

access-list TEST extended permit ip 192.168.253.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list TEST extended permit ip 192.168.253.0 255.255.255.0 192.168.5.0 255.255.255.0

NAT:

global (outside) 15 172.20.105.1-172.20.105.254

nat (inside) 15 access-list TEST

CRYPTO ACL:

access-list RO extended permit ip LAN 255.255.0.0 192.168.0.0 255.255.255.0

access-list RO extended permit ip LAN 255.255.0.0 192.168.5.0 255.255.255.0

access-list RO extended permit ip 172.20.105.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list RO extended permit ip 172.20.105.0 255.255.255.0 192.168.5.0 255.255.255.0

same-security-traffic permit intra-interface

Am I missing something here? Can something like this be done at all?

Thanks in advance for any help.

We are using ASA 5510 with software version 8.0(3)6.

I have this problem too.
0 votes
Correct Answer by acomiskey about 7 years 10 months ago

You need to nat on the outside, not the inside.

nat (outside) 15 access-list TEST

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Tue, 03/17/2009 - 08:56

You need to nat on the outside, not the inside.

nat (outside) 15 access-list TEST

IgorHamzic Tue, 03/17/2009 - 09:19

Thanks.I did it already.I realized with the help of a friend I was using the wrong logic for the NAT and changed it.

Now I can get ping across the L2L tunnel from the VPN client without fail.

Thanks for the reply though.

Actions

This Discussion