Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA VPN Config - A question from the past :-)

Hi All

It's been "a while" since I've been near an ASA for VPN configuration purposes, indeed I think it was running 6.something and still called a Pix :-)

Anyhow, I (vaguely) remember it used to be the case that when you had an/some existing L2L ipsec VPN config and you wanted to change/add/whatever to it, planning in things like removing the crypto map from the outside interface first was A Good Idea if one wanted to avoid days of headscratching as to why a perfectly reasonable modification screwed the whole thing over - does that still apply, or is it all a bit more stable/forgiving nowadays?

Bonus question:

If you have a scenario say, similar to "L2L with overlapping networks", is it possible to have a many-to-few policy NAT?  For instance, instead of  the example given in the config docs:

access-list policy-nat extended permit ip 172.18.1.0 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,outside) 172.18.1.0  access-list policy-nat
is it possible in any way to run your internal network of 192.168.1.0 into a smaller range?
If not everything in the internal network will be going via VPN, could something like

access-list policy-nat extended permit ip 172.18.1.0 255.255.255.240 192.168.1.0 255.255.255.0
work?
Would that NAT...
...the first x addresses of the subnet, 1-to-1 (i.e. 192.168.1.1-14 > 172.18.1.1-14)
or
...the first addresses 'seen' to traverse the tunnel (which is what I'd like to happen) like maybe
192.168.1.212 -> 172.18.1.1
192.168.1.34 -> 172.18.1.2 etc... (and presumably tough luck if you're internal host #15)
or, as i suspect, is such a thing not even possible
?

TIA

Kev

Circa 1994 :-)

1 REPLY
New Member

Re: ASA VPN Config - A question from the past :-)

Hi,

Yes ASA is much stable to the problem that you referred. To answere your second question you may pat the tunnel traffic to even a single ip address with policy nat statement, but then this will be a uni-directional tunnnel.

Regards,

Nitin Agarwal

182
Views
0
Helpful
1
Replies