Solved: Doing NAT for VPN clients going over L2L tunnel

IgorHamzic · ‎03-17-2009

Hi.I have the following situation in my network.We have a need for users who connect to our site with VPN clients to connect to another site via a L2L tunnel. The problem is that I need to NAT the addresses from the VPN client pool to another range before going over the L2L tunnel because on the other side we have overlapping networks.

I have been trying to do NAT along the following lines with little success:

ACL for NAT of VPN pool:

access-list TEST extended permit ip 192.168.253.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list TEST extended permit ip 192.168.253.0 255.255.255.0 192.168.5.0 255.255.255.0

NAT:

global (outside) 15 172.20.105.1-172.20.105.254

nat (inside) 15 access-list TEST

CRYPTO ACL:

access-list RO extended permit ip LAN 255.255.0.0 192.168.0.0 255.255.255.0

access-list RO extended permit ip LAN 255.255.0.0 192.168.5.0 255.255.255.0

access-list RO extended permit ip 172.20.105.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list RO extended permit ip 172.20.105.0 255.255.255.0 192.168.5.0 255.255.255.0

same-security-traffic permit intra-interface

Am I missing something here? Can something like this be done at all?

Thanks in advance for any help.

We are using ASA 5510 with software version 8.0(3)6.

acomiskey · ‎03-17-2009

You need to nat on the outside, not the inside.

nat (outside) 15 access-list TEST

View solution in original post

acomiskey · ‎03-17-2009

You need to nat on the outside, not the inside.

nat (outside) 15 access-list TEST

IgorHamzic · ‎03-17-2009

Thanks.I did it already.I realized with the help of a friend I was using the wrong logic for the NAT and changed it.

Now I can get ping across the L2L tunnel from the VPN client without fail.

Thanks for the reply though.