NAT help on VPN

Unanswered Question
Feb 7th, 2010

Hello,

I've never had to can before over a VPN, I've been lucky I guess that both sides don't use the same IP range in the past.  However, now I need NAT as the remote network is using a range we have.  Users use servers on each side of the VPN and we use a ASA 5520 my side the other side is managed by another company and the VPN/Firewall is very basic (not sure of the make).

My network range is 192.168.0.0/16

Remote Network is 10.20.30.0/24  and various 192.168.x.x/24 addresses.

My network only need to reach the 10.20.30.x/24 range as that is where their servers are.

The remote network need to contact servers on my network on the 192.168.21.x/24 and 192.168.20.x/24 and 192.168.100.x/24 range.  I was wondering if it is possible NAT our range(192.168.x.x/16) to 172.19.20./24 and then NAT our servers to these ranges for the remote office to connect to?

I just don't know where to satrt on this?  I guess my phase to of the VPN will have to stay at SA 10.20.30.x/24 and theirs will have to be 172.19.20.x/24 so the tunnel comes up, then some sort of NAT from the 172.19,20.x range to our servers?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Sun, 02/07/2010 - 21:47

Here is  an old example.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

The concept should be still the same.

In the above example, PIX is doing bi-direction NAT. In your case, you must NAT your 192.168.x.x IP address. But if the source IP from the remote side is only from 10.20.30.x network, you don't need NAT it. If the packet from the remote end will be sourced from 192.168.x.x network as well, you will need bi-direction NAT as well.

Andy White Tue, 02/09/2010 - 00:36

Hi, that link doesn't seem to work for me.

I'll use another example that has risen today.  Our network is on 192.168.x.x/16 and the remot VPN network is also on 192.168.x.x/16.  The remote network only need to come inbound to us where the servers are, what options do we have?

I'm not sure if it is possible to have my nework NAT as 172.19.20.x/24 and keep the remote network as 192.168.x.x/16 then do some sort or PAT/NAT to our servers.

Yudong Wu Tue, 02/09/2010 - 08:54

You have to NAT remote side network as well. Saying, remote side with IP address 192.168.x.x is accessing the server on your site. How your server to know if it is from the remote site or local network. Unless you have some special topology and routing setting which let your server know the difference.

You should have the access to the document if you have a cco account. Anyway, I attached its pdf file here.

If the server IP which you try to access is not overlap, you don't need static NAT, regular NAT/PAT should work. You need change the ACL which defines the interested traffic for IPSec tunnel as well. Its source IP should be NATed IP.

Actions

This Discussion