Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Multiple VPN's to different company's using the same ipaddressrange

Our Hospital needs many LAN to LAN VPN's to different other hospitals. Some of the other hospitals use the same private ip-range. We have ASA5510, most other hospitals have watchguard. Is it possible to solve this with natting ? Is there a way to define different natting for every tunnel ?

4 REPLIES
Cisco Employee

Re: Multiple VPN's to different company's using the same ipaddre

Yes, you can have the subnet natted specifically for this tunnel.

You can use policy based natting for this.

Its always a good idea to do NAT on both the ends, to avoid complexity in the config.

*Please rate if this helped.

-Kanishka

New Member

Re: Multiple VPN's to different company's using the same ipaddre

Could you give me a clue on how to configure this on ASA5510 ? I've been searching in asdm and as far as I can find out, In policy natting, I can filter on interface, on ipaddress and on protocol but not on tunnel ?

Cisco Employee

Re: Multiple VPN's to different company's using the same ipaddre

Giving you an example :

Let's say the network on both the ends is 192.168.1.0/24.

On Watchgaurd they nat it to 192.168.2.0/24.

On your side, say , yu nat it to 192.168.3.0/24

The policy nat statements would be like this:

1: Create an acl for to identify traffic :

access-list policy_nat 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Define a static NAT with policy :

static (inside,outside) 192.168.3.0 access-list policy_nat

And you crypto ACL would look like :

access-list cry_acl 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

You should be good to go !

*Please rate if helped.

-Kanishka

New Member

Re: Multiple VPN's to different company's using the same ipaddre

Thank you for your effort.

But my configuration is somewhat different. My subnet is 172.18.5.0/24 and I want 2 tunnels to 2 different company's that both use subnet 192.168.150.0/24.

I don't know if the watchguards at the other end can nat their source-ip to something different.

231
Views
4
Helpful
4
Replies
CreatePlease to create content