10-11-2010 01:36 AM - edited 03-11-2019 11:52 AM
Hi All,
I have Cisco ASA5505 configured with one inside VLAN (10.10.10.x) and one OUTSIDE VLAN.
I have activated an IpSec Site to Site TUNNEL VPN with a partner and he wants to see my network like 10.10.20.x (instead of 10.10.10.x) because he has already 10.10.10.x listed in his network.
How can I do it? I cannot change my internal addresses. So I think that we have configure something that translate my address before enter into the tunnel.
How can I do it?
Thanks.
10-11-2010 02:29 AM
Hi,
This is the most common scenario we use to face while creating site-to-site VPN
We need to configure a static NAT on both the ASA/PIX which would translate the IP's into some other IP ranges.
Then we need to specify static routes for these new statically mapped IP address on both the side.
Here is a link for same scenario but it is written with reference to checkpoint firewall:
http://docs.spruce.se/docs/5_0/10-to-10_net_using_VPN_and_NAT_NG_and_41.pdf
Hope it might help you,
Khubaib
10-11-2010 05:51 AM
Hi Khubaib,
thanks for your reply. Your document is very useful and I understood the topology of the configuration.
BUT I don't know how to configure with CISCO ASA5505, your document is made for check point.
Sorry but I'm not very Expert of CISCO.
Thanks!
10-11-2010 05:58 AM
Hi,
If you are running version 8.2 or prior on your ASA, the below document will help you with it.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html
More specifically, you will have to use "Static policy NAT", that is, "static nat with an access-list" for this to work out. Let me know if this helps!! If you have any doubts, please feel free to post them.
Thanks and Regards,
Prapanch
10-11-2010 01:39 PM
To configure this on version 8.3 and greater on the 5505, it will be necessary to perform bi-directional NAT. Your remote location can access your network using the 10.10.20.0/24 network, and in this example we'll have your internal subnet access the remote 10.10.10.0/24 network using the mapped address 10.10.30.0/24.
Your local lan will send packets to 10.10.30.0/24, and the remote lan will send packets to 10.10.20.0/24, and the ASA will take care of the bi-directional NAT.
object network insideReal
subnet 10.10.10.0 255.255.255.0
object network insideMapped
subnet 10.10.20.0 255.255.255.0
object network outsideReal
subnet 10.10.10.0 255.255.255.0
object network outsideMapped
subnet 10.10.30.0 255.255.255.0
Note that the ASA will need to have a route to not only the local LAN segment, but the remote LAN segment. To add this duplicate route, increase the metric for the route facing out the outside interface:
route inside 10.10.10.0 255.255.255.0 10.0.0.2 1
route outside 10.10.10.0 255.255.255.0 192.168.2.5 2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide