Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I NAT inbound traffic from a site to site VPN?

OK, This is confusing me....

I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using 192.168.1.0 networks. All have public IP's and very little knowledge so are unable to NAT from their end.

The idea is to create some /28 blocks of IP's (172.29.0.0/28) and manage this on our end.

How do I get this to work?

Thanks in advance....

Brent

example: (all IP's are fictional)

tunnel1

VPN

My side "outside" 10.10.10.10

Their side "outside" 20.20.20.20

Networks

My side "inside" 172.30.30.0

Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.0/28

tunnel2

VPN

My side "outside" 10.10.10.10

Their side "outside" 30.30.30.30

Networks

My side "inside" 172.30.30.0

Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.16/28

tunnel3

VPN

My side "outside" 10.10.10.10

Their side "outside" 40.40.40.40

Network (single address)

My side "inside" 172.30.30.1 255.255.255.255

Their side "inside" 192.168.1.1 255.255.255.255 NAT'ed to 172.29.0.33 255.255.255.255

  • VPN
3 REPLIES
New Member

Re: How do I NAT inbound traffic from a site to site VPN?

Hi bbanderson,

If I am not wrong, we need to incorporate just a dynamic(or static, but more cumbersome to manage) nat on the outside interface for the source address range:

ip nat outside source static or list command mapping the source subnet(192.168.1.0 in your case) to 172.29.0.0.

HTH

Cheers

Arun

New Member

Re: How do I NAT inbound traffic from a site to site VPN?

Arun,

Thank you for the quick reply.

I have one question, will that NAT handle multiple VPN tunnels? (see example above) including the direct IP to IP NAT listed as tunnel3 above? (the "NAT'ed" statement is an illustration of what I would like to do with each tunnel)

Thanks again,

Brent

New Member

Re: How do I NAT inbound traffic from a site to site VPN?

Hi bbanderson,

It can handle multiple VPN NATs.

All youve got to do is make multiple instances of the same crypto-map

like crypto-map crypto-map-name 1 peer-ip

            "                    "               1 transform-set ....etc, etc.

     crypto-map crypto-map-name 2

         "                    "                 2 transform-set ....etc, etc.

for the different peers 10.10.10.10, 20.20.20.20, etc, and match the ip address to each access-list there under each map instance.

crypto map Outside_map0 3 match address -this can be taken as an example.

HTH

Cheers

Arun

442
Views
0
Helpful
3
Replies
This widget could not be displayed.