Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT translation on an ASA for a VPN

have a vpn to another company and they are using the same addressing as us so I need to do some double natting. Not sure of how to do this for a vpn. Basically I want anything exiting from site A subnet of 10.1.1.0/24 to get translated to 10.6.7.1. Also anything going from a specific address in site A (10.1.1.67) gets translated to 10.6.7.2.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAT translation on an ASA for a VPN

Donagh,

You need policy-based NAT for your VPN connections, something like:-

access-list inside_policy_nat extended permit ip host 10.1.1.67 <>

static (inside,outside) 10.6.7.2 access-list inside_policy_nat

access-list no-nat extended permit ip host 10.6.7.2 <>

access-list nat_vpn_company_x extended permit ip host 10.6.7.2 <>

crypto map <> <> match address nat_vpn_company_x

The above will:-

1) NAT the internal src IP from 10.1.1.67 to 10.6.7.2 when the destination is the remote company ip subnet

2) Once translated - will not re-NAT it again

3) Define the NAT'ted IP address as the interesting src IP to bring the tunnel UP and of course is used in the verification of the IPSEC encryption domains.

HTH>

1 REPLY

Re: NAT translation on an ASA for a VPN

Donagh,

You need policy-based NAT for your VPN connections, something like:-

access-list inside_policy_nat extended permit ip host 10.1.1.67 <>

static (inside,outside) 10.6.7.2 access-list inside_policy_nat

access-list no-nat extended permit ip host 10.6.7.2 <>

access-list nat_vpn_company_x extended permit ip host 10.6.7.2 <>

crypto map <> <> match address nat_vpn_company_x

The above will:-

1) NAT the internal src IP from 10.1.1.67 to 10.6.7.2 when the destination is the remote company ip subnet

2) Once translated - will not re-NAT it again

3) Define the NAT'ted IP address as the interesting src IP to bring the tunnel UP and of course is used in the verification of the IPSEC encryption domains.

HTH>

136
Views
0
Helpful
1
Replies
CreatePlease to create content