Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

destination nat - vpn site2site

Good day all,

hope someone can help/explain me destination nat.

I have one host A 172.20.0.x that must translate to host B 192.168.5.x.

So if a vpn office (192.168.36.0/24) try to connect to host A 172.20.0.x it must translate to host B 192.168.5.x.

Is this possible and how I can configure this NAT rule.

I using ASA V8.4(1)

Many thanks for your feedback!

Brgds Markus

4 REPLIES
Bronze

Re: destination nat - vpn site2site

What I understood is that your host 172.20.0.x is sitting on inside network and you want this host to be available on outside network /published as 192.168.5.x , such that other host connecting to it would be connecting to 192.168.5.x and ASA will do the translation .

You can achieve it as following

Static (inside, outside) 192.168.15.x 172.20.0.x net mask 255.255.255.255

Access-list out-in extended permit ip 192.168.36.0 255.255.255.0 host 192.168.5.x

Access-group out-in in interface outside

Sent from Cisco Technical Support iPad App

New Member

Re: destination nat - vpn site2site

Hi,

thanks for the fast response.

The Host B 192.168.5.X is also on an inside interface. I will that all remote VPN locations that try to connect to host A 172.0.0.X translated to host B 192.168.5.X.

Brgds Markus

New Member

Re: destination nat - vpn site2site

Ok I got it,

nat (wan_primary,inside) source static 192.168.36.0 192.168.36.0 destination static 172.20.0.X 192.168.5.X

Brgds Markus

Bronze

Re: destination nat - vpn site2site

I am sorry but can you explain , if you have 192.168.5.x and 172.0.0.x are on inside network meaning both hosts are live then in such a case both would be used by VPN users simultaneously., correct ?

Then you cannot translate host A to host B address because translation can happen using VIP (virtual IP) with real IP.

What you are talking about it diversion or maybe I mis understood you and if you can explain more I might be able to help you out.

Sent from Cisco Technical Support iPad App

485
Views
0
Helpful
4
Replies
CreatePlease to create content