NAT through site to site VPN on ASA 5510

0rsnaric · ‎03-09-2007

We just implemented a site to site tunnel with another network and now need to NAT addresses from our LAN through the tunnel. Not sure how to do this correctly, and without breaking anything else.

The internal network is 172.16.0.0. The tunnel allows traffic between 1.1.0.0 and 2.2.0.0. I need to translate 172.16.0.0 to 2.2.0.0 to get to 1.1.0.0. Is there a way to do this on the ASA? Or do I need a router in front of the ASA to NAT addresses? Currently 172.16.0.0 is being NAT'd outbound to a global pool for internet traffic, and that needs to stay in place.

Thanks

kaachary · ‎03-09-2007

Create an ACL :

access-list policy_nat permit ip 172.16.0.0 255.255.0.0 1.1.0.0 255.255.0.0

Create a static NAT with policy :

static (inside,outside) 2.2.0.0 access-list policy_nat

And your crypto ACL will look like :

access-list cry_acl permit ip 2.2.0.0 255.255.0.0 1.1.0.0 255.255.0.0

That would not affect any other tunnel or the Internet traffic.

*Please rate if helped.

-Kanishka

0rsnaric · ‎03-26-2007

Hi Kanishka,

static (inside,outside) 2.2.0.0 access-list policy_nat doesn't take. I get an error at policy_nat.

access-list policy_nat permit ip 172.16.0.0 255.255.0.0 1.1.0.0 255.255.0.0 is okay.

Any suggestions?