Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA L2L VPN NAT

We have a business partner that we are setting up a L2L VPN with.  Their internal host's IP overlaps with our internal IP range.  Unfortunately they're not offering to NAT on their side.  Is it possible on the ASA to setup a NAT so that my internal hosts go to say 1.1.1.1 and the ASA changes it to the remote end's internal address that is overlapping?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA L2L VPN NAT

If this is the scenario

192.168.5.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.5.0

ASA1 (NAT will be applied)

ASA2 (No nat will be applied)

You will want to do something like this on ASA1

Change your source host or network to be 192.168.7.0 when communicating to the remote network. Change the remote network to come in as 192.168.8.0 when coming into your network on the ASA.

MATCH ACL:

!-- Match ACL

access-list acl_match_VPN permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0

!--- NAT ACL

access-list vpn_nat permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0

!-- Translations

static (outside,inside) 192.168.7.0 192.168.5.0 netmask 255.255.255.0 0 0

static (inside,outside) 192.168.8.0 access-list policy-nat

Now complete the VPN config using acl_match_VPN as the match ACL.Your internal host will need to use the 192.168.7.0 network when talking to the remote end.

Hope this helps.

1 REPLY
Cisco Employee

Re: ASA L2L VPN NAT

If this is the scenario

192.168.5.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.5.0

ASA1 (NAT will be applied)

ASA2 (No nat will be applied)

You will want to do something like this on ASA1

Change your source host or network to be 192.168.7.0 when communicating to the remote network. Change the remote network to come in as 192.168.8.0 when coming into your network on the ASA.

MATCH ACL:

!-- Match ACL

access-list acl_match_VPN permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0

!--- NAT ACL

access-list vpn_nat permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0

!-- Translations

static (outside,inside) 192.168.7.0 192.168.5.0 netmask 255.255.255.0 0 0

static (inside,outside) 192.168.8.0 access-list policy-nat

Now complete the VPN config using acl_match_VPN as the match ACL.Your internal host will need to use the 192.168.7.0 network when talking to the remote end.

Hope this helps.

1462
Views
0
Helpful
1
Replies
CreatePlease to create content