Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - VPN site to site with NAT

Hi,

we have 2 building connected with a bridge wireless that transport different vlans.

We need now to dismiss this bridge and we will connect this networks through ipsec vpn site to site.

We don't want to change the ip addresses so I'm wondering if it's possible to apply a nat before encrypt the traffic for each vlan?

Is it possible?

ac

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA - VPN site to site with NAT

Yes, definitely can.

Couldn't find a sample configuration that NAT both ends, but here is example for your reference:

Site A LAN: 192.168.1.0/24 --> NAT to 192.168.20.0/24

Site B LAN: 192.168.1.0/24 --> NAT to 192.168.40.0/24

Site A ASA:

static (inside,outside) 192.168.20.0 192.168.1.0 netmask 255.255.255.0

Crypto ACL:

access-list cryptoAB permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0

Site B ASA:

static (inside,outside) 192.168.40.0 192.168.1.0 netmask 255.255.255.0

Crypto ACL:

access-list cryptoAB permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0

Hope that helps.

4 REPLIES
Cisco Employee

Re: ASA - VPN site to site with NAT

Yes, you can definitely configure NAT prior to encryption, and the crypto ACL should match the NATed subnet.

Hope that answers your question.

New Member

Re: ASA - VPN site to site with NAT

So I can configure the internal interface as a trunk to terminate all the vlan, define NAT for each vlan, and define the crypto acl on the natted address.

This is possible also with the small asa5505?

Where can I find some usefull configuration information?

Thank you.

Cisco Employee

Re: ASA - VPN site to site with NAT

Yes, definitely can.

Couldn't find a sample configuration that NAT both ends, but here is example for your reference:

Site A LAN: 192.168.1.0/24 --> NAT to 192.168.20.0/24

Site B LAN: 192.168.1.0/24 --> NAT to 192.168.40.0/24

Site A ASA:

static (inside,outside) 192.168.20.0 192.168.1.0 netmask 255.255.255.0

Crypto ACL:

access-list cryptoAB permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0

Site B ASA:

static (inside,outside) 192.168.40.0 192.168.1.0 netmask 255.255.255.0

Crypto ACL:

access-list cryptoAB permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0

Hope that helps.

New Member

Re: ASA - VPN site to site with NAT

OK, that's clear.

Thank you halijenn!!!

Regards.

466
Views
0
Helpful
4
Replies
CreatePlease login to create content