How to configure Policy NAT for VPN traffic on PIX/ASA

Document

May 1, 2011 2:40 AM
Jun 17th, 2009

Core issue

With Policy NAT, the source address of interesting traffic can be changed to something else, especially in the case where there are networks that overlap.

Resolution

In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is 10.10.1.0/24. 

  • Create an access-list for Policy NAT with real source and a destination IP address.

access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 host 172.16.1.1
access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 1.1.1.0 255.255.255.0

  • Create a static command that states that when source is 10.10.1.0 and destination is 172.16.1.1 or 1.1.1.0, change it to 172.16.5.0

static (inside,outside) 172.16.5.0 access-list POLICYNAT

  • Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example, 172.16.5.0.

access-list VPN extended permit ip 172.16.5.0 255.255.255.0 host 172.16.1.1
access-list VPN extended permit ip 172.16.5.0 255.255.255.0 1.1.1.0 255.255.255.0

  • Apply the crypto access-list to crypto map.
       

crypto map VPN 10 match address VPN

VPN Tunnel End Points

PIX

ASA

VPN Topology

Lan-to-Lan

Features & Tasks

Policy NAT

VPN Protocols

IPSec

Overall Rating: 5 (1 ratings)
ahmad82pkn Sun, 05/01/2011 - 02:40

what about if same NAT ip is needed to be used for another client B?

then i get error

lets say after above config if i do same for another client B

static (inside,outside) 172.16.5.0 access-list CLIENTB-POLICYNAT

it gives me error, that 172.16.5.0 already in use,   how can i fix this? i am moving from CISCP VPN concentrator to ASA, where as in Concentrator this situation works.

Actions

Login or Register to take actions

This Document

Posted June 17, 2009 at 10:15 PM
Updated July 22, 2009 at 7:34 PM
Stats:
Comments:1 Overall Rating:5
Views:18862 Contributors:1
Shares:0