I need to set up nat for a new company that we purchased. I'll be bringing the tunnel up from the 2600, and it will be terminating into my ASA 5520. Would I only have to worry about one side of the tunnel to nat?
We route for a 192.168.1.0 network, but the new company is also 192.168.1.0. What I was going to do is to nat all of their vpn traffic to 10.230.1.0/24 out of their router, but would I need to configure the reverse as well on the ASA, or do I just need to worry about my nat exemption statements?
You will need to NAT both sides. You can do the NAT one the same device if you want but you still need to NAT both sides.
The reason is -
LAN1 -> ASA <-> 2600 -> LAN2
Lets say you do NAT all LAN2 addresses to 10.230.1.x. Now say a client on LAN2 needs to talk to a client on LAN1. If the client address appears as 10.230.1.x to LAN1 then yes LAN1 could then route the traffic back. But the problem is that the packet never gets to LAN1. The reason being that the client on LAN2 thinks that the client on LAN1 is on the same network ie.
client source IP = 192.168.1.x (before NAT on 2600)
destination source IP = 192.168.1.x
so client believes destination is on the same subnet. Now if you could guarantee that the same 192.168.1.x was not in use at both sites it may work but it's messy and prone to error.
Best thing is to NAT both ends.
If both sides can initiate connections then you will need to use static NAT's at either end. If only one side needs to initiate the connection then you need statics at that site and you can use dynamic NAT/PAT at the other.
This document shows the nat statement as static. Does the ACL prevent the static nat to always be used? I only want the traffic natted when it has to cross the tunnel. I think that's what the acl in this example is doing, but I wanted to make sure.
Sorry, but what do you mean by this "Does the ACL prevent the static nat to always be used?"
As a general answer to your query, you may well need to use Policy NAT on both the ASA and the 2600 to make sure the traffic is only Natted if it is going through the tunnel, it's not clear because i don't know what the rest of the config is on your devices.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...