ASA L2L VPN NAT

Answered Question
Jan 8th, 2010
User Badges:

We have a business partner that we are setting up a L2L VPN with.  Their internal host's IP overlaps with our internal IP range.  Unfortunately they're not offering to NAT on their side.  Is it possible on the ASA to setup a NAT so that my internal hosts go to say 1.1.1.1 and the ASA changes it to the remote end's internal address that is overlapping?

Correct Answer by Joe B Danford about 7 years 3 months ago

If this is the scenario



192.168.5.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.5.0


ASA1 (NAT will be applied)

ASA2 (No nat will be applied)



You will want to do something like this on ASA1


Change your source host or network to be 192.168.7.0 when communicating to the remote network. Change the remote network to come in as 192.168.8.0 when coming into your network on the ASA.



MATCH ACL:



!-- Match ACL


access-list acl_match_VPN permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0


!--- NAT ACL

access-list vpn_nat permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0

!-- Translations

static (outside,inside) 192.168.7.0 192.168.5.0 netmask 255.255.255.0 0 0

static (inside,outside) 192.168.8.0 access-list policy-nat



Now complete the VPN config using acl_match_VPN as the match ACL.Your internal host will need to use the 192.168.7.0 network when talking to the remote end.


Hope this helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Joe B Danford Fri, 01/08/2010 - 08:11
User Badges:
  • Cisco Employee,

If this is the scenario



192.168.5.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.5.0


ASA1 (NAT will be applied)

ASA2 (No nat will be applied)



You will want to do something like this on ASA1


Change your source host or network to be 192.168.7.0 when communicating to the remote network. Change the remote network to come in as 192.168.8.0 when coming into your network on the ASA.



MATCH ACL:



!-- Match ACL


access-list acl_match_VPN permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0


!--- NAT ACL

access-list vpn_nat permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0

!-- Translations

static (outside,inside) 192.168.7.0 192.168.5.0 netmask 255.255.255.0 0 0

static (inside,outside) 192.168.8.0 access-list policy-nat



Now complete the VPN config using acl_match_VPN as the match ACL.Your internal host will need to use the 192.168.7.0 network when talking to the remote end.


Hope this helps.

Actions

This Discussion

Related Content