I have a ASA5510 to connect clients to my compagny. I use vpn ipsec site to site with different VPN equipments to the other side (Cisco, Sonicwall, Zyxel, Checkpoint ... ).
For every remote Lan I translate the network client in an only IP address
Client1 192.168.1.0/24 Dynamic PAT (hide) a.b.c.1/24
Client2 172.16.0.0/16 Dynamic PAT (hide) a.b.c.2/24
Client3 172.17.4.0/26 Dynamic PAT (hide) a.b.c.3/24
Everything is working fine but now I have a new client with the same IP network as client1
Clientn 192.168.1.0/24 Dynamic PAT (hide) a.b.c.n/24
But when I did it the client1 loose the connection and i had to remove the clientn network ...
Do you have an idea to permit same remote IP addresses to use VPN ?
For information i use ASDM to setupthe ASA.
Sorry for my english ...
Ask the client to nat their network to something you're not already using. Unless they are accessing a network on your side that is different from the network client1 is accessing on your side. If that is the case you could create a rule that states if traffic coming from client1 to network1 then PAT to this IP address. If traffic from clientn to networkn, then PAT to this IP address.
Thank you William but I can't ask clients to Nat their networks and they all connect to the same network on my side:
Client1 192.168.1.0/24 Dynamic PAT (hide) a.b.c.1/24 connect to w.x.y.0/24
Client2 192.168.1.0/24 Dynamic PAT (hide) a.b.c.2/24 connect to w.x.y.0/24
Client3 192.168.1.0/24 Dynamic PAT (hide) a.b.c.3/24 connect to w.x.y.0/24
Clientn 192.168.1.0/24 Dynamic PAT (hide) a.b.c.n/24 connect to w.x.y.0/24
At the beginning, I NAT the client's network to avoid that kind of problem and I don't anderstand why it is not working.
May I have to change the NAT type ?
I'm afraid the ASA is not built to do something like that. Even If you manage to configure several nat rules so that the remote VPN addresses are mapped to different address ranges on your inside the ASA will have dificulties to decide, which of the identical remote networks are be chosen.
On IOS you can do something like that, the features you might want to take a look at are VTI, vrf-light and vrf-aware NAT. The VTI is a tunnel interface which represents an IPsec connection to one of your customers and is associated with a vrf. The nat configuration just needs to adress the vrf in addition to the outside-global, outside-local addresses, ip nat inside/outside on the interfaces as usual. The classical crypto map is replaced by tunnel-src/dst and a tunnel protection profile.
That's the best I can think of...
I don't understand why the ASA has diffuculties to decide which remote networks to choose because the NAT IP address a.b.c.x is affect to just one client which is in only one crypto-map
Client1 192.168.1.0/24 Crypto-map1 Dynamic PAT (hide) a.b.c.1 connect to w.x.y.x
Client2 192.168.1.0/24 Crypto-map2 Dynamic PAT (hide) a.b.c.2 connect to w.x.y.x
From my side
w.x.y.x response to a.b.c.1 in Crypto-map1 to 192.168.1.0/24 (Client1)
w.x.y.x response to a.b.c.2 in Crypto-map2 to 192.168.1.0/24 (Client2)
The solution with VTI and VRF seems (to me) complicated to operate.