Solved: ASA L2L VPN NAT

Benjamin Story · ‎01-08-2010

We have a business partner that we are setting up a L2L VPN with. Their internal host's IP overlaps with our internal IP range. Unfortunately they're not offering to NAT on their side. Is it possible on the ASA to setup a NAT so that my internal hosts go to say 1.1.1.1 and the ASA changes it to the remote end's internal address that is overlapping?

Joe B Danford · ‎01-08-2010

If this is the scenario

192.168.5.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.5.0

ASA1 (NAT will be applied)

ASA2 (No nat will be applied)

You will want to do something like this on ASA1

Change your source host or network to be 192.168.7.0 when communicating to the remote network. Change the remote network to come in as 192.168.8.0 when coming into your network on the ASA.

MATCH ACL:

!-- Match ACL

access-list acl_match_VPN permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0

!--- NAT ACL

access-list vpn_nat permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0

!-- Translations

static (outside,inside) 192.168.7.0 192.168.5.0 netmask 255.255.255.0 0 0

static (inside,outside) 192.168.8.0 access-list policy-nat

Now complete the VPN config using acl_match_VPN as the match ACL.Your internal host will need to use the 192.168.7.0 network when talking to the remote end.

Hope this helps.

View solution in original post

Joe B Danford · ‎01-08-2010