We have created a new VPN tunnel to a 3rd party site and must NAT the traffic. We already have VPN tunnels terminating on our ASA. I've listed below relevant parts of the configuration.
nat (inside) 0 access-list INSIDE_NAT0_OUTBOUND
nat (inside) 1 access-list INSIDE_NAT1_OUTBOUND
nat (inside) 2 0.0.0.0 0.0.0.0
access-list INSIDE_NAT0_OUTBOUND extended permit ip 10.0.0.0 255.0.0.0 10.192.0.0 255.255.0.0
access-list INSIDE_NAT1_OUTBOUND extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
access-list INSIDE_NAT1_OUTBOUND extended permit ip 172.28.0.0 255.255.0.0 192.168.1.0 255.255.255.0
global (outside) 1 10.231.0.225-10.231.0.254
global (outside) 2 interface
The access list assigned to the VPN is:
access-list 3rd-party-vpn extended permit ip 10.231.0.224 255.255.255.224 192.168.1.0 255.255.255.0
Basically, we want traffic from our 10.x.x.x and 172.28.x.x networks destined for 192.168.1.0 255.255.255.0 to be translated to 10.231.0.224/27. We have managed to establish a tunnel, but are unable to connect to resources on the 3rd party site.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...