cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
446
Views
0
Helpful
5
Replies

How to NAT accross a VPN

risenshine4th
Level 1
Level 1

Customer has the same remote networks as some of my local networks. What is the best way to apply Nat accross the tunnel?

I'm trying to figure out how to setup "Tunnel Nat" or Nat accross the tunnel.

192.168.x.x, 172.16.1.x local

192.168.x.x, 172.16.1.x remote

I'm new to the ASA 5510 style.

Any help or documents are appreciated by ratings.

John

5 Replies 5

risenshine4th
Level 1
Level 1

Also,

I would like to Nat to 10.55.1.72

and the customer would nat to same in their config.

John, same principle along those lines in link posted by Steven.

Use Policy NAT, reference this link for PIX/ASA L2L and overlapping nets.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Rgds

Jorge

Jorge Rodriguez

I'm also struggling with this same configuration, but I currently host 3 L2L configs, and a couple of RA's.

The thing with Doc ID 99122, PIX/ASA L2L w/overlapping nets example that confuses me is the statement:

global (outside) 1 172.19.1.1

I don't understand why that address is being used, as the outside address is 172.17.1.1, the addresses to NAT are 172.18.1.0.

What am I missing?

I belive this could be a typo, you are right in this section in understanding the logic of it and find out what role does 172.19.1.1 have here in the overlaping scenario, specially when your outside interface network is 172.17.1.0/24 in this example, you would assume that you have already in FW:

global (outside) 1 172.17.1.1

nat (inside ) 1 0 0

So I believe this statement from PIX-A should be:

global (oustide) 1 172.17.1.1

or

global (outside) 1 interface

nat (inside ) 1 0 0

and here the vpn traffic is already defined with the static policy nat statement along with teh acl.

so if you look at the policy nat in PIX-A the static statement with the acl is 1st looked at and if matches the static policy nat statement and its alcs it will go through the l2l tunnel, static nat takes precedence over any dynamic so up to here the example in link is fine, for non vpn related traffic like regular internet traffic it will use global 172.17.1.1 which is outside interface ip address.. not 172.19.1.1 ..

Parograph in question !!

global (outside) 1 172.19.1.1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- The above statements will PAT the internet traffic

!--- except the VPN traffic using the IP address 172.19.1.1

so the above statement simply is telling that any host or networks from the inside nat (inside) 1 0 0 will be PATed/translated with 172.19.1.1 global (outside) for internet traffic but... 172.19.1.0/24 network is not even routed throup the FW oustide interface.

I hope this make sence , but if someone could agree or not is welcome.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: