Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT through site to site VPN on ASA 5510

We just implemented a site to site tunnel with another network and now need to NAT addresses from our LAN through the tunnel. Not sure how to do this correctly, and without breaking anything else.

The internal network is 172.16.0.0. The tunnel allows traffic between 1.1.0.0 and 2.2.0.0. I need to translate 172.16.0.0 to 2.2.0.0 to get to 1.1.0.0. Is there a way to do this on the ASA? Or do I need a router in front of the ASA to NAT addresses? Currently 172.16.0.0 is being NAT'd outbound to a global pool for internet traffic, and that needs to stay in place.

Thanks

2 REPLIES
Cisco Employee

Re: NAT through site to site VPN on ASA 5510

Create an ACL :

access-list policy_nat permit ip 172.16.0.0 255.255.0.0 1.1.0.0 255.255.0.0

Create a static NAT with policy :

static (inside,outside) 2.2.0.0 access-list policy_nat

And your crypto ACL will look like :

access-list cry_acl permit ip 2.2.0.0 255.255.0.0 1.1.0.0 255.255.0.0

That would not affect any other tunnel or the Internet traffic.

*Please rate if helped.

-Kanishka

New Member

Re: NAT through site to site VPN on ASA 5510

Hi Kanishka,

static (inside,outside) 2.2.0.0 access-list policy_nat doesn't take. I get an error at policy_nat.

access-list policy_nat permit ip 172.16.0.0 255.255.0.0 1.1.0.0 255.255.0.0 is okay.

Any suggestions?

122
Views
0
Helpful
2
Replies
CreatePlease to create content