Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec VPN and NAT

Does anyone know of a solution to this type of overlap issue. I have an ASA5520 that I perform firewall/VPN.

Let's say my inside network is 192.168.1.x/24.

I want to do a VPN to customer A. Customer A network is 192.168.5.x/24

No problems here. This VPN is up and running.

Now, customer B wants to come onboard and they use 192.168.5.x/24. Customer B is not willing to NAT at their firewall device.

Is there anything I can do either at my ASA5520 or possibly a router behind the ASA5520? Any help much appreciated.

5 REPLIES
Cisco Employee

Re: IPSec VPN and NAT

Hello Thomas,

NAT ting on your ASA is not going to work.

Even a router behind the 5520 will not do the job.

NAT ting has to be done on Customer B side. Cant they do policy based NAT ting?

- Gilbert

New Member

Re: IPSec VPN and NAT

Hi Gilbert,

The customer refuses to NAT at their firewall/VPN device.

Any thoughts?

Cisco Employee

Re: IPSec VPN and NAT

Thomas,

If they are refusing to NAT at their firewall, I am sure they are NAT ting their internal traffic to access the internet right?

So, on your ACL for encryption they can just change their ACL to say:

access-l 100 per ip host 192.168.1.0 255.255.255.0

external ip - IP to which the internal networks are NAT ted to.

And on your side of the ASA, you can write the ACL as:

access-l 110 per ip 192.168.1.0 255.255.255.0 host

Let me know.

- Rate it, if it helps -

New Member

Re: IPSec VPN and NAT

I can see how this would work. However, there are multiple hosts on the remote network that we need to see as unique IP addresses.

Cisco Employee

Re: IPSec VPN and NAT

Thomas, I can think of only three choices.

1. Do policy NAT on the remote device. (Your customer does not want to do this) - Discard option

2. Normal NAT will work. - But you need unique IP addresses (Option can be discarded).

3. Get unique public IP address on the remote end and do static NAT.

Create the ACL for the public IP address and that should help you out.

This option has to be discarded if unique IP addresses cant be obtained.

Cheers,

Gilbert

- Rate it, if it helps -

239
Views
5
Helpful
5
Replies
CreatePlease to create content