Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT inside Site to Site VPN

Hi All

How do i NAT my internal network to different IP range before reaching destinaton LAN

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAT inside Site to Site VPN

Hi,

No, you don't need NAT0 anymore and actully it is mandatory to remove it as NAT0 takes precedence over the other NAT statements.

You should translate all subnet to one IP using policy-based NAT

nat (inside) 10 access-list VPN-NAT

global (outside) 10 172.16.20.1

access-list VPN-NAT permit ip 192.168.10.0 255.255.255.255 192.50.100.32 255.255.255.240

The crypto map access-list:

access-list VPN permit ip host 172.16.20.1 192.50.100.32 255.255.255.240

To check the NAT:

sh xlate

To test the full setup use the "packet-tracer" command, that generates a bogus packet with the characteristics you want and passes it to all the ASA internal process and shows you the result.

Please rate if this helped.

Regards,

Daniel

6 REPLIES

Re: NAT inside Site to Site VPN

What device are you using?

Router or ASA?

Regards,

Daniel

Community Member

Re: NAT inside Site to Site VPN

Hi

We are using ASA 5505 Version 7.2(2)

Other end is a data centre and also use Cisco ASA Version 8.02

I Have done the L2L VPN and it is success as i can see bellow

IKE Peer: 202.6.X.Y

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

how ever they want us to NAT our our LAN IP (192.168.10.0/24) to 172.16.20.0/27 althouth actual IP of data centre is 192.50.100.32/28

1).Do i need to still use nat 0 for 192.168.10 /24 to 192.50.100.32/28

2).How do i use NAT to translate 192.168.10.0/24 to 172.16.20.0/27 before reach data centre via VPN

Thanks,

Janaka

Re: NAT inside Site to Site VPN

Hi,

No, you don't need NAT0 anymore and actully it is mandatory to remove it as NAT0 takes precedence over the other NAT statements.

You should translate all subnet to one IP using policy-based NAT

nat (inside) 10 access-list VPN-NAT

global (outside) 10 172.16.20.1

access-list VPN-NAT permit ip 192.168.10.0 255.255.255.255 192.50.100.32 255.255.255.240

The crypto map access-list:

access-list VPN permit ip host 172.16.20.1 192.50.100.32 255.255.255.240

To check the NAT:

sh xlate

To test the full setup use the "packet-tracer" command, that generates a bogus packet with the characteristics you want and passes it to all the ASA internal process and shows you the result.

Please rate if this helped.

Regards,

Daniel

Community Member

Re: NAT inside Site to Site VPN

Hi Daniel

Do i need to use static translations like bellow as well ?

static (inside,outside) 172.16.20.1 access-list VPN-NAT

Regards,

Janaka

Re: NAT inside Site to Site VPN

Hi,

No, static is used only for one-to-one translations.

Please rate if this helped.

Regards,

Daniel

Community Member

Re: NAT inside Site to Site VPN

Hi Daniel

It works now.However there was a mismatch i found in ipsec hash and corrected to match destination.

Regards,

Janaka

398
Views
4
Helpful
6
Replies
CreatePlease to create content