Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
4
Helpful
6
Replies

NAT inside Site to Site VPN

Go to solution
janakamolagoda
Level 1
Level 1

‎07-17-2008 06:05 AM

Hi All

How do i NAT my internal network to different IP range before reaching destinaton LAN

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
5220
Level 4
Level 4
In response to janakamolagoda

‎07-17-2008 11:31 PM

Hi,

No, you don't need NAT0 anymore and actully it is mandatory to remove it as NAT0 takes precedence over the other NAT statements.

You should translate all subnet to one IP using policy-based NAT

nat (inside) 10 access-list VPN-NAT

global (outside) 10 172.16.20.1

access-list VPN-NAT permit ip 192.168.10.0 255.255.255.255 192.50.100.32 255.255.255.240

The crypto map access-list:

access-list VPN permit ip host 172.16.20.1 192.50.100.32 255.255.255.240

To check the NAT:

sh xlate

To test the full setup use the "packet-tracer" command, that generates a bogus packet with the characteristics you want and passes it to all the ASA internal process and shows you the result.

Please rate if this helped.

Regards,

Daniel

View solution in original post

0 Helpful
6 Replies 6

Go to solution
5220
Level 4
Level 4

‎07-17-2008 08:33 AM

What device are you using?

Router or ASA?

Regards,

Daniel

0 Helpful

Go to solution
janakamolagoda
Level 1
Level 1
In response to 5220

‎07-17-2008 05:56 PM

Hi

We are using ASA 5505 Version 7.2(2)

Other end is a data centre and also use Cisco ASA Version 8.02

I Have done the L2L VPN and it is success as i can see bellow

IKE Peer: 202.6.X.Y

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

how ever they want us to NAT our our LAN IP (192.168.10.0/24) to 172.16.20.0/27 althouth actual IP of data centre is 192.50.100.32/28

1).Do i need to still use nat 0 for 192.168.10 /24 to 192.50.100.32/28

2).How do i use NAT to translate 192.168.10.0/24 to 172.16.20.0/27 before reach data centre via VPN

Thanks,

Janaka

0 Helpful

Go to solution
5220
Level 4
Level 4
In response to janakamolagoda

‎07-17-2008 11:31 PM

Hi,

No, you don't need NAT0 anymore and actully it is mandatory to remove it as NAT0 takes precedence over the other NAT statements.

You should translate all subnet to one IP using policy-based NAT

nat (inside) 10 access-list VPN-NAT

global (outside) 10 172.16.20.1

access-list VPN-NAT permit ip 192.168.10.0 255.255.255.255 192.50.100.32 255.255.255.240

The crypto map access-list:

access-list VPN permit ip host 172.16.20.1 192.50.100.32 255.255.255.240

To check the NAT:

sh xlate

To test the full setup use the "packet-tracer" command, that generates a bogus packet with the characteristics you want and passes it to all the ASA internal process and shows you the result.

Please rate if this helped.

Regards,

Daniel

0 Helpful

Go to solution
janakamolagoda
Level 1
Level 1
In response to 5220

‎07-17-2008 11:52 PM

Hi Daniel

Do i need to use static translations like bellow as well ?

static (inside,outside) 172.16.20.1 access-list VPN-NAT

Regards,

Janaka

0 Helpful

Go to solution
5220
Level 4
Level 4
In response to janakamolagoda

‎07-18-2008 01:57 AM

Hi,

No, static is used only for one-to-one translations.

Please rate if this helped.

Regards,

Daniel

Go to solution
janakamolagoda
Level 1
Level 1
In response to 5220

‎07-19-2008 08:49 PM

Hi Daniel

It works now.However there was a mismatch i found in ipsec hash and corrected to match destination.

Regards,

Janaka

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents