Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
3
Replies

NAT help

Andy White
Level 3
Level 3

‎02-16-2010 03:34 AM

Hello,

I have a VPN between 2 offices, I use an ASA.  We use the same IP ranges so we have picked 2 different IP ranges to bring up Phase 2 of the tunnel.

We both use 192.168.x.x/24 so we decided to use:

172.19.100.x/24 (me)

172.19.101.x/24 (remote)

Now I'm on IP address 192.168.99.11/24 and need to translate this to 172.19.100.11 before it goes over the VPN, what command do I need to use?

At the other end they have added a NAT 172.19.101.11 to 192.168.0.1.

ICMP is allowed

I will try this policy NAT, not sure if it is right:

access-list inside_nat_static extended permit ip host 192.168.99.11 172.19.101.0 255.255.255.0

static (inside,outside) 172.19.100.11 access-list inside_nat_static tcp 0 0 udp 0

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-16-2010 06:46 AM

Hi,

Yes you need Policy NAT on both ends of the tunnel.

You can do it with the configuration that you have (take into account 192.168.x.x/24) on your side will be translated to a single IP, so the tunnel can only be initiated from your side.

It will be better to translate a /24 network to a /24 network STATICALLY to allow the tunnel to establish from either side.

Federico.

0 Helpful

Andy White
Level 3
Level 3
In response to Federico Coto Fajardo

‎02-16-2010 07:01 AM

Wouldn't 192.168.99.11 translate to 172.19.101.11?

Also I'm not sure I understand - It will be better to translate a /24 network to a /24 network STATICALLY to allow the tunnel to establish from either side.

Can you give me an example?

Thanks

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Andy White

‎02-16-2010 10:01 AM

In this case you're right because you're translating 192.168.99.11 to 172.19.100.11 when it goes to 172.19.101.0/24

Now, the ACL for VPN traffic should be from 172.19.100.11 to 172.19.101.x and it should be a mirror on the other side.

Do you see the translation taking place?  show ip nat translation | i 192.168.99.11

Do you see the traffic being encrypted and the tunnel getting established?

What I meant is that if you have two networks on both sides you can statically NAT both networks:

access-list NAT permit ip x.x.x.x/24 y.y.y.y/24

static (inside,outside) 1.1.1.0 access-list NAT netmask 255.255.255.0

Instead of just NATing one IP address.

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents