Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
10
Helpful
3
Replies

How to Nat my internal hosts for Lan to Lan VPN

Go to solution
dan hale
Level 3
Level 3

‎05-06-2010 07:36 PM

Hi All, I have to connect a L2L to another company however, they want us to NAT our internal host to another subnet. There may be some address conflicts on there side. They want us to Nat my 192.168.200.0 subnet to 10.10.12.0 subnet. All class C's for the L2L.

               192.168.200.0 <---> ASA1 <-- Internet --> ASA2 <-- 192.168.10.0

               (10.10.12.0)

Any suggestions on how I can get this to work? I know that it will require some access lists just not a 100% on the access lists and I'm trying to minimize and down time, right now we are just doing the standard nating for inside hosts to a couple of global IP address for Internet traffic.

thanks...

Daniel

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-06-2010 07:42 PM

Here is what can be configured:

access-list static-to-L2L permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

static (inside,outside) 10.10.12.0 access-list static-to-L2L

If you already have NAT exemption configured from 192.168.200.0/24 to 192.168.10.0/24, you would need to remove that because NAT exemption takes precendence over static translation.

Further to that, you would also need to change your crypto ACL to be sourced from 10.10.12.0/24 instead of 192.168.200.0/24, and the peer ASA also needs to change the crypto ACL to source from 192.168.10.0/24 towards 10.10.12.0/24 as follows:

Your crypto ACL: access-list cryptoACL permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0

Peer crypto ACL: access-list cryptoACL permit ip 192.168.10.0 255.255.255.0 10.10.12.0 255.255.255.0

Hope that helps.

View solution in original post

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-06-2010 07:42 PM

Hi Daniel,

On your ASA you will require the following:

access-list NAT permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

static (in,out) 10.10.12.0 access-list NAT

access-list CRYPTO permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0

The above configuration works like this:

There will be a translation from your internal network 192.168.200.0/24 when going to 192.168.10.0/24 to network 10.10.12.0/24

In other words, communication through the tunnel will be between 10.10.12.0/24 and 192.168.10.0/24

The CRYPTO ACL is defining the interesting traffic applied to the VPN.

Hope it helps.

Federico.

View solution in original post

3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-06-2010 07:42 PM

Here is what can be configured:

access-list static-to-L2L permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

static (inside,outside) 10.10.12.0 access-list static-to-L2L

If you already have NAT exemption configured from 192.168.200.0/24 to 192.168.10.0/24, you would need to remove that because NAT exemption takes precendence over static translation.

Further to that, you would also need to change your crypto ACL to be sourced from 10.10.12.0/24 instead of 192.168.200.0/24, and the peer ASA also needs to change the crypto ACL to source from 192.168.10.0/24 towards 10.10.12.0/24 as follows:

Your crypto ACL: access-list cryptoACL permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0

Peer crypto ACL: access-list cryptoACL permit ip 192.168.10.0 255.255.255.0 10.10.12.0 255.255.255.0

Hope that helps.

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-06-2010 07:42 PM

Hi Daniel,

On your ASA you will require the following:

access-list NAT permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.255.0

static (in,out) 10.10.12.0 access-list NAT

access-list CRYPTO permit ip 10.10.12.0 255.255.255.0 192.168.10.0 255.255.255.0

The above configuration works like this:

There will be a translation from your internal network 192.168.200.0/24 when going to 192.168.10.0/24 to network 10.10.12.0/24

In other words, communication through the tunnel will be between 10.10.12.0/24 and 192.168.10.0/24

The CRYPTO ACL is defining the interesting traffic applied to the VPN.

Hope it helps.

Federico.

Go to solution
dan hale
Level 3
Level 3

‎05-24-2010 10:44 AM

Thanks Guys this was exactley what I needed.

-Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents