NAT help

Unanswered Question
Feb 16th, 2010

Hello,

I have a VPN between 2 offices, I use an ASA.  We use the same IP ranges so we have picked 2 different IP ranges to bring up Phase 2 of the tunnel.

We both use 192.168.x.x/24 so we decided to use:

172.19.100.x/24 (me)

172.19.101.x/24 (remote)

Now I'm on IP address 192.168.99.11/24 and need to translate this to 172.19.100.11 before it goes over the VPN, what command do I need to use?

At the other end they have added a NAT 172.19.101.11 to 192.168.0.1.

ICMP is allowed

I will try this policy NAT, not sure if it is right:

access-list inside_nat_static extended permit ip host 192.168.99.11 172.19.101.0 255.255.255.0

static (inside,outside) 172.19.100.11 access-list inside_nat_static tcp 0 0 udp 0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 02/16/2010 - 06:46

Hi,

Yes you need Policy NAT on both ends of the tunnel.

You can do it with the configuration that you have (take into account 192.168.x.x/24) on your side will be translated to a single IP, so the tunnel can only be initiated from your side.

It will be better to translate a /24 network to a /24 network STATICALLY to allow the tunnel to establish from either side.

Federico.

Andy White Tue, 02/16/2010 - 07:01

Wouldn't 192.168.99.11 translate to 172.19.101.11?

Also I'm not sure I understand - It will be better to translate a /24 network to a /24 network STATICALLY to allow the tunnel to establish from either side.

Can you give me an example?

Thanks

Federico Coto F... Tue, 02/16/2010 - 10:01

In this case you're right because you're translating 192.168.99.11 to 172.19.100.11 when it goes to 172.19.101.0/24

Now, the ACL for VPN traffic should be from 172.19.100.11 to 172.19.101.x and it should be a mirror on the other side.

Do you see the translation taking place?  show ip nat translation | i 192.168.99.11

Do you see the traffic being encrypted and the tunnel getting established?

What I meant is that if you have two networks on both sides you can statically NAT both networks:

access-list NAT permit ip x.x.x.x/24 y.y.y.y/24

static (inside,outside) 1.1.1.0 access-list NAT netmask 255.255.255.0

Instead of just NATing one IP address.

Federico.

Actions

This Discussion