Is a policy-based bi-directional NATs possible? I can find plenty of examples to handle a single bi-directional NAT but the Cisco documentation I've read states that policy-based translates local addresses only. However, I've read conflicting documentation from Cisco where it says any NAT (besides NAT exemption) can be configured for policy NAT. I've spent numerous hours researching a configuration that could handle this but have come up empty. I would imagine I'm not the first person to run into this, Cisco's documentation is just unclear to me.
Site A will terminate L2L VPNs from Site B and Site C to an ASA 5520. Site A has no administrative control over B or C. Site B and C are choosing to expose their same overlapping private address space.
I'm no expert but forced into this by the unexpected exit of our Network Engineer. Can anyone provide assistance?
I know that I need to:
1. specify the address to be translated
2. specificy the inside global to translate to
I believe I accomplish this with:
- static (outside, inside) 172.17.1.1 10.128.0.0 netmask 255.128.0.0
- access-list 101 permit ip 10.128.0.0 255.128.0.0
- access-group 101 inside interface outside
I believe I'll need to create route statements for this as well:
- route outside 10.128.0.0 255.128.0.0 12.126.x.x
This satifies one VPN, but what about the Site C? Can I use policy NAT to map that customers 10.128.0.0/9 to say 172.17.2.2? I know the address space I'm mapping to doesn't handle the /9 being exposed to me, but I'll never exceed the range I'm mapping it to. Once I know exactly how many IP's will be coming over the VPN, I will actually create a 1:1 translation as governed by our security policy.
I hope I'm on the right track here and have explained this in manner that isn't too confusing. Any help? I'm not even sure if a policy-based bi-directional NAT is possible based on the Cisco documentation I've read. Help!
------------- (12.126.x.x) Site B (10.128.0.0/9)
Site A ------------ WWW Cloud
(ASA 5520) --------------(209.128.y.y) Site C (10.128.0.0/9)
I agree with you 100% unfortunately documentation sucks!
If you give the ASA a different public IP on another interface and terminate the other tunnel there, you can still
use the configuration of Policy NAT on Site A and it should work.
Give it a try and let us know if you need further help.