Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN and NAT ASA 5510. NAT to a public IP to avoid overlapping private.

Customer has the same remote networks as some of my local networks. What is the best way to apply Nat accross the tunnel?

172.16.x.x

local 192.168.0.0

Remote 192.168.0.0

172.17.x.x

local 192.168.0.0

Remote 192.168.0.0

LAN on both sides has 192.168.0.0 /24

Currently, I have several tunnels that Nat Networks and hosts to 10.50.70.10. I would like to to understand how to properly NAT the tunnel traffic in the same manner using the ASA.

I've looked at documentation but it seems confusing.

Does anyone have a simple CLI config or ASDM example that may provide a working config I can play with?

Can I use the same NAT for multiple tunnels? This works on another device. It is like using PAT across the tunnel.

192.168.0.0 translated to 10.50.70.10

This isn't allowed in static policy Nat.

Whom ever answers this will get ratings from the several hundred posts with the same questions.

2 REPLIES
Cisco Employee

Re: VPN and NAT ASA 5510. NAT to a public IP to avoid overlappin

Here what I would do:

access-list NATVPN permit ip 192.168.0.0 255.255.255.0 172.17.0.0 255.255.255.0

ONE SIDE

static (inside,outside) 172.16.0.0 access-list NATVPN

crypto acl should look

access-list crypto permit ip 172.16.0.0 255.255.255.0 172.17.0.0 255.255.0.0

(OR HOWEVER THE MASK IS)

REMOTE SITE

access-list NATVPN permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0

ONE SIDE

static (inside,outside) 172.17.0.0 access-list NATVPN

crypto acl should look

access-list crypto permit ip 172.17.0.0 255.255.255.0 172.16.0.0 255.255.0.0

Give that a shot.

New Member

Re: VPN and NAT ASA 5510. NAT to a public IP to avoid overlappin

I'm working on trying this out. I feel confident about it and will let you know my results.

Do you know of anyway to force a subnet...for example 192.168.0.0 /24 to translate to a host... 10.70.50.2? This could be 172.17.0.2 as in the above issue. I'm looking to avoid the overlapping 192.168.0.0 networks.

Basically I'm looking for a many to one nat/pat to use across the tunnel.

362
Views
0
Helpful
2
Replies