How to configure opposite NAT policies on the same ASA.

Unanswered Question
Sep 9th, 2010

Issue : Our company is currently in the process of migrating all the vendor VPn traffic from concentrators to ASA -5540s. Our vendors connect using either Clientless , Client based and /or Site2Site.

All the 3 VPN configurations need to exist on the same appliances.

We have currently have a stable environment set up for Clientless and IPSEC client where vendors connect to real addresses. However our Site to Site connections ( which initally ) existed on a concentrator needs to be moved to the same ASA. The site to Site masks internal addresses by natting them to a public address range 168.244..0.0 /16

Is there a way to configure ASA to nat only Siteto Site traffic and not the Client and Clientless traffic .

One option our team has come up with is to create a new DMZ on the ASA and route traffic pointing to the new DMZ range. /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Is there any otherworkable solution ?

Thanks in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Thu, 09/09/2010 - 11:00

Not sure your ASA version. If it is running early than 8.3, You can configure policy static NAT to only nat the traffice for site to site VPN.

1. define a ACL to include all site to site traffic

access-list s2s permit ip

access-list s2s permit ip

2. configure policy static nat

static (inside_interface_name, outside_interface_name) netmask access-list s2s

Here is command ref

8.3 code can do the same but the syntax is different.


This Discussion