How to configure opposite NAT policies on the same ASA.

sprashanth · ‎09-09-2010

Issue : Our company is currently in the process of migrating all the vendor VPn traffic from concentrators to ASA -5540s. Our vendors connect using either Clientless , Client based and /or Site2Site.

All the 3 VPN configurations need to exist on the same appliances.

We have currently have a stable environment set up for Clientless and IPSEC client where vendors connect to real addresses. However our Site to Site connections ( which initally ) existed on a concentrator needs to be moved to the same ASA. The site to Site masks internal addresses by natting them to a public address range 168.244..0.0 /16

Is there a way to configure ASA to nat only Siteto Site traffic and not the Client and Clientless traffic .

One option our team has come up with is to create a new DMZ on the ASA and route traffic pointing to the new DMZ range.

Is there any otherworkable solution ?

Thanks in advance

-Sandhya

Yudong Wu · ‎09-09-2010

Not sure your ASA version. If it is running early than 8.3, You can configure policy static NAT to only nat the traffice for site to site VPN.

1. define a ACL to include all site to site traffic

access-list s2s permit ip

2. configure policy static nat

static (inside_interface_name, outside_interface_name) netmask access-list s2s

Here is command ref

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466

8.3 code can do the same but the syntax is different.