I have a scenario I have been trying to work out how to do and just cannot work out. I am sure someone on here with a lot more experience then me will answer this very easily.
We have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of 10.110.128.0/22. Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of 172.16.148.0/22.
We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of 10.110.18.0/24. It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.
We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.
I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.
My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.
For example: If someone in our satellite office with an IP address of 172.16.150.5 attempts to request a resource from 10.110.18.12 then the request would go via the VPN to our firewall and then get NATed to 10.110.131.200 before being passed on to our parent company network.
My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from 172.16.148.0/22 destined for 10.110.18.0/24 should get NATed at our firewall to 10.110.131.200 before being passed on.
Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.
Will that only NAT if the request is destined for the 10.110.18.0 subnet. There are actually other VPNs connected to the firewall where it needs to keep it's original IP address of 172.16.148.0. The only time it should NAT is if it is going on to the 10.110.18.0 subnet.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :