Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
0
Helpful
1
Replies

Site to Site VPN with NAT

ancarr
Level 1
Level 1

‎09-18-2009 06:02 AM - edited ‎03-11-2019 09:17 AM

I am having a problem setting up a L2L tunnel with a partner. I am using a ASA 5520 running 8.0.4.

Both sides of the tunnel are using the subnet 10.30.x.x/16. The network list on my side of the tunnel will have the nodes 10.0.194.1, 10.0.194.5, 10.0.194.10 and 10.0.194.11. I need to allow these four nodes thru the tunnel to communicate with the remote subnet 10.30.x.x/16. However, the 10.30.x.x/16 subnet also exists on my local network. How do I configure the tunnel to make this happen? Can I NAT before the tunnel? For example, could I route all traffic destined for this tunnel to the 172.16.32.x/24 subnet and when the ASA sees traffic destined for this subnet the ASA will perform the NAT and send it to the proper destination for this tunnel?

Would this config be the right way to go?

access-list PNAT1 extended permit ip 10.0.194.1/32 172.16.32.1/32

static (inside,outside) 10.30.20.1 access-list PNAT1

access-list PNAT5 extended permit ip 10.0.194.5/32 172.16.32.5/32

static (inside,outside) 10.30.20.5 access-list PNAT5

access-list PNAT10 extended permit ip 10.0.194.10/32 172.16.32.10/32

static (inside,outside) 10.30.20.10 access-list PNAT10

access-list cryptoACL extended permit ip 172.16.32.1/32 10.30.20.1/32

access-list cryptoACL extended permit ip 172.16.32.5/32 10.30.20.5/32

access-list cryptoACL extended permit ip 172.16.32.10/32 10.30.20.10/32

With this config, I would route traffic destined for the 172.16.32.x/24 subnet to the inside interface of our ASA and the ASA would encrypt and NAT the traffic to the 10.30.x.x/16 subnet.

Please help,

Thanks,

Keith

Labels:
0 Helpful
1 Reply 1

andrew.prince
Level 10
Level 10

‎09-18-2009 10:59 AM

Keith,

Firstly you need to figure out the NAT subnet that you want to use for both sides.

The fact that you have 10.30.x.x on both sides initialy you have a routing issue.

I would suggest a network based nat so:-

1) Site A 10.30.x.x = 172.1.x.x

2) Site B 10.30.x.x = 172.2.x.x

Then you nat it before you put the traffic into the tunnel - and your crypto list will just be your NAT subnets.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card