Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How to Nat my internal hosts for Lan to Lan VPN

Hi All, I have to connect a L2L to another company however, they want us to NAT our internal host to another subnet. There may be some address conflicts on there side. They want us to Nat my 192.168.200.0 subnet to 10.10.12.0 subnet. All class C's for the L2L.

               192.168.200.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.10.0

               (10.10.12.0)

Any suggestions on how I can get this to work? I know that it will require some access lists just not a 100% on the access lists and I'm trying to minimize and down time, right now we are just doing the standard nating for inside hosts to a couple of global IP address for Internet traffic.

thanks...

Daniel

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: How to Nat my internal hosts for Lan to Lan VPN

Here is what can be configured:

access-list static-to-L2L permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

static (inside,outside) 10.10.12.0 access-list static-to-L2L

If you already have NAT exemption configured from 192.168.200.0/24 to 192.168.10.0/24, you would need to remove that because NAT exemption takes precendence over static translation.

Further to that, you would also need to change your crypto ACL to be sourced from 10.10.12.0/24 instead of 192.168.200.0/24, and the peer ASA also needs to change the crypto ACL to source from 192.168.10.0/24 towards 10.10.12.0/24 as follows:

Your crypto ACL: access-list cryptoACL permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0

Peer crypto ACL: access-list cryptoACL permit ip 192.168.10.0 255.255.255.0 10.10.12.0 255.255.255.0

Hope that helps.

Re: How to Nat my internal hosts for Lan to Lan VPN

Hi Daniel,

On your ASA you will require the following:

access-list NAT permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

static (in,out) 10.10.12.0 access-list NAT

access-list CRYPTO permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0

The above configuration works like this:

There will be a translation from your internal network 192.168.200.0/24 when going to 192.168.10.0/24 to network 10.10.12.0/24

In other words, communication through the tunnel will be between 10.10.12.0/24 and 192.168.10.0/24

The CRYPTO ACL is defining the interesting traffic applied to the VPN.

Hope it helps.

Federico.

3 REPLIES
Cisco Employee

Re: How to Nat my internal hosts for Lan to Lan VPN

Here is what can be configured:

access-list static-to-L2L permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

static (inside,outside) 10.10.12.0 access-list static-to-L2L

If you already have NAT exemption configured from 192.168.200.0/24 to 192.168.10.0/24, you would need to remove that because NAT exemption takes precendence over static translation.

Further to that, you would also need to change your crypto ACL to be sourced from 10.10.12.0/24 instead of 192.168.200.0/24, and the peer ASA also needs to change the crypto ACL to source from 192.168.10.0/24 towards 10.10.12.0/24 as follows:

Your crypto ACL: access-list cryptoACL permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0

Peer crypto ACL: access-list cryptoACL permit ip 192.168.10.0 255.255.255.0 10.10.12.0 255.255.255.0

Hope that helps.

Re: How to Nat my internal hosts for Lan to Lan VPN

Hi Daniel,

On your ASA you will require the following:

access-list NAT permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

static (in,out) 10.10.12.0 access-list NAT

access-list CRYPTO permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0

The above configuration works like this:

There will be a translation from your internal network 192.168.200.0/24 when going to 192.168.10.0/24 to network 10.10.12.0/24

In other words, communication through the tunnel will be between 10.10.12.0/24 and 192.168.10.0/24

The CRYPTO ACL is defining the interesting traffic applied to the VPN.

Hope it helps.

Federico.

Community Member

Re: How to Nat my internal hosts for Lan to Lan VPN

Thanks Guys this was exactley what I needed.

-Daniel

561
Views
10
Helpful
3
Replies
CreatePlease to create content