01-08-2010 06:57 AM
We have a business partner that we are setting up a L2L VPN with. Their internal host's IP overlaps with our internal IP range. Unfortunately they're not offering to NAT on their side. Is it possible on the ASA to setup a NAT so that my internal hosts go to say 1.1.1.1 and the ASA changes it to the remote end's internal address that is overlapping?
Solved! Go to Solution.
01-08-2010 08:11 AM
If this is the scenario
192.168.5.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.5.0ASA1 (NAT will be applied)
ASA2 (No nat will be applied)
You will want to do something like this on ASA1Change your source host or network to be 192.168.7.0 when communicating to the remote network. Change the remote network to come in as 192.168.8.0 when coming into your network on the ASA.
MATCH ACL:!-- Match ACLaccess-list acl_match_VPN permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0!--- NAT ACL
access-list vpn_nat permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0
!-- Translations
static (outside,inside) 192.168.7.0 192.168.5.0 netmask 255.255.255.0 0 0
static (inside,outside) 192.168.8.0 access-list policy-nat
Now complete the VPN config using acl_match_VPN as the match ACL.Your internal host will need to use the 192.168.7.0 network when talking to the remote end.Hope this helps.
01-08-2010 08:11 AM
If this is the scenario
192.168.5.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.5.0ASA1 (NAT will be applied)
ASA2 (No nat will be applied)
You will want to do something like this on ASA1Change your source host or network to be 192.168.7.0 when communicating to the remote network. Change the remote network to come in as 192.168.8.0 when coming into your network on the ASA.
MATCH ACL:!-- Match ACLaccess-list acl_match_VPN permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0!--- NAT ACL
access-list vpn_nat permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0
!-- Translations
static (outside,inside) 192.168.7.0 192.168.5.0 netmask 255.255.255.0 0 0
static (inside,outside) 192.168.8.0 access-list policy-nat
Now complete the VPN config using acl_match_VPN as the match ACL.Your internal host will need to use the 192.168.7.0 network when talking to the remote end.Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: