ASA - VPN site to site with NAT

Answered Question
Apr 14th, 2010

Hi,

we have 2 building connected with a bridge wireless that transport different vlans.

We need now to dismiss this bridge and we will connect this networks through ipsec vpn site to site.

We don't want to change the ip addresses so I'm wondering if it's possible to apply a nat before encrypt the traffic for each vlan?

Is it possible?

ac

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 9 months ago

Yes, definitely can.

Couldn't find a sample configuration that NAT both ends, but here is example for your reference:

Site A LAN: 192.168.1.0/24 --> NAT to 192.168.20.0/24

Site B LAN: 192.168.1.0/24 --> NAT to 192.168.40.0/24

Site A ASA:

static (inside,outside) 192.168.20.0 192.168.1.0 netmask 255.255.255.0

Crypto ACL:

access-list cryptoAB permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0

Site B ASA:

static (inside,outside) 192.168.40.0 192.168.1.0 netmask 255.255.255.0

Crypto ACL:

access-list cryptoAB permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 04/14/2010 - 02:34

Yes, you can definitely configure NAT prior to encryption, and the crypto ACL should match the NATed subnet.

Hope that answers your question.

acleri Wed, 04/14/2010 - 03:12

So I can configure the internal interface as a trunk to terminate all the vlan, define NAT for each vlan, and define the crypto acl on the natted address.

This is possible also with the small asa5505?

Where can I find some usefull configuration information?

Thank you.

Correct Answer
Jennifer Halim Wed, 04/14/2010 - 03:31

Yes, definitely can.

Couldn't find a sample configuration that NAT both ends, but here is example for your reference:

Site A LAN: 192.168.1.0/24 --> NAT to 192.168.20.0/24

Site B LAN: 192.168.1.0/24 --> NAT to 192.168.40.0/24

Site A ASA:

static (inside,outside) 192.168.20.0 192.168.1.0 netmask 255.255.255.0

Crypto ACL:

access-list cryptoAB permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0

Site B ASA:

static (inside,outside) 192.168.40.0 192.168.1.0 netmask 255.255.255.0

Crypto ACL:

access-list cryptoAB permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0

Hope that helps.

Actions

This Discussion