ASA - VPN site to site with NAT

Answered Question
Apr 14th, 2010
User Badges:

Hi,

we have 2 building connected with a bridge wireless that transport different vlans.

We need now to dismiss this bridge and we will connect this networks through ipsec vpn site to site.

We don't want to change the ip addresses so I'm wondering if it's possible to apply a nat before encrypt the traffic for each vlan?

Is it possible?

ac

Correct Answer by Jennifer Halim about 7 years 1 month ago

Yes, definitely can.


Couldn't find a sample configuration that NAT both ends, but here is example for your reference:


Site A LAN: 192.168.1.0/24 --> NAT to 192.168.20.0/24

Site B LAN: 192.168.1.0/24 --> NAT to 192.168.40.0/24


Site A ASA:

static (inside,outside) 192.168.20.0 192.168.1.0 netmask 255.255.255.0


Crypto ACL:

access-list cryptoAB permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0


Site B ASA:

static (inside,outside) 192.168.40.0 192.168.1.0 netmask 255.255.255.0


Crypto ACL:

access-list cryptoAB permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 04/14/2010 - 02:34
User Badges:
  • Cisco Employee,

Yes, you can definitely configure NAT prior to encryption, and the crypto ACL should match the NATed subnet.


Hope that answers your question.

acleri Wed, 04/14/2010 - 03:12
User Badges:

So I can configure the internal interface as a trunk to terminate all the vlan, define NAT for each vlan, and define the crypto acl on the natted address.

This is possible also with the small asa5505?

Where can I find some usefull configuration information?

Thank you.

Correct Answer
Jennifer Halim Wed, 04/14/2010 - 03:31
User Badges:
  • Cisco Employee,

Yes, definitely can.


Couldn't find a sample configuration that NAT both ends, but here is example for your reference:


Site A LAN: 192.168.1.0/24 --> NAT to 192.168.20.0/24

Site B LAN: 192.168.1.0/24 --> NAT to 192.168.40.0/24


Site A ASA:

static (inside,outside) 192.168.20.0 192.168.1.0 netmask 255.255.255.0


Crypto ACL:

access-list cryptoAB permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0


Site B ASA:

static (inside,outside) 192.168.40.0 192.168.1.0 netmask 255.255.255.0


Crypto ACL:

access-list cryptoAB permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0


Hope that helps.

Actions

This Discussion