NAT help

Unanswered Question
Feb 16th, 2010
User Badges:

Hello,


I have a VPN between 2 offices, I use an ASA.  We use the same IP ranges so we have picked 2 different IP ranges to bring up Phase 2 of the tunnel.


We both use 192.168.x.x/24 so we decided to use:


172.19.100.x/24 (me)

172.19.101.x/24 (remote)


Now I'm on IP address 192.168.99.11/24 and need to translate this to 172.19.100.11 before it goes over the VPN, what command do I need to use?


At the other end they have added a NAT 172.19.101.11 to 192.168.0.1.


ICMP is allowed


I will try this policy NAT, not sure if it is right:


access-list inside_nat_static extended permit ip host 192.168.99.11 172.19.101.0 255.255.255.0


static (inside,outside) 172.19.100.11 access-list inside_nat_static tcp 0 0 udp 0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 02/16/2010 - 06:46
User Badges:
  • Green, 3000 points or more

Hi,


Yes you need Policy NAT on both ends of the tunnel.


You can do it with the configuration that you have (take into account 192.168.x.x/24) on your side will be translated to a single IP, so the tunnel can only be initiated from your side.


It will be better to translate a /24 network to a /24 network STATICALLY to allow the tunnel to establish from either side.


Federico.

Andy White Tue, 02/16/2010 - 07:01
User Badges:

Wouldn't 192.168.99.11 translate to 172.19.101.11?


Also I'm not sure I understand - It will be better to translate a /24 network to a /24 network STATICALLY to allow the tunnel to establish from either side.


Can you give me an example?


Thanks

Federico Coto F... Tue, 02/16/2010 - 10:01
User Badges:
  • Green, 3000 points or more

In this case you're right because you're translating 192.168.99.11 to 172.19.100.11 when it goes to 172.19.101.0/24

Now, the ACL for VPN traffic should be from 172.19.100.11 to 172.19.101.x and it should be a mirror on the other side.

Do you see the translation taking place?  show ip nat translation | i 192.168.99.11

Do you see the traffic being encrypted and the tunnel getting established?


What I meant is that if you have two networks on both sides you can statically NAT both networks:


access-list NAT permit ip x.x.x.x/24 y.y.y.y/24

static (inside,outside) 1.1.1.0 access-list NAT netmask 255.255.255.0


Instead of just NATing one IP address.


Federico.

Actions

This Discussion