cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT issue with VPN Site ti Site (Remote LANs with IP address)

Hello

I have a ASA5510 to connect clients to my compagny. I use vpn ipsec site to site with different VPN equipments to the other side (Cisco, Sonicwall, Zyxel, Checkpoint ... ).

For every remote Lan I translate the network client in an only IP address

For instance

Client1 192.168.1.0/24    Dynamic PAT (hide)     a.b.c.1/24

Client2  172.16.0.0/16     Dynamic PAT (hide)     a.b.c.2/24

Client3  172.17.4.0/26     Dynamic PAT (hide)     a.b.c.3/24

...

Everything is working fine but now I have a new client with the same IP network as client1

I tried

Clientn 192.168.1.0/24    Dynamic PAT (hide)     a.b.c.n/24

But when I did it the client1 loose the connection and i had to remove the clientn network ...

Do you have an idea to permit same remote IP addresses to use VPN ?

For information i use ASDM to setupthe ASA.

Regards

Laurent

Sorry for my english ...

Everyone's tags (4)
4 REPLIES
New Member

NAT issue with VPN Site ti Site (Remote LANs with IP address)

Ask the client to nat their network to something you're not already using.  Unless they are accessing a network on your side that is different from the network client1 is accessing on your side.  If that is the case you could create a rule that states if traffic coming from client1 to network1 then PAT to this IP address.  If traffic from clientn to networkn, then PAT to this IP address. 

New Member

NAT issue with VPN Site ti Site (Remote LANs with IP address)

Thank you William but I can't ask clients to Nat their networks and they all connect to the same network on my side:

Client1 192.168.1.0/24 Dynamic PAT (hide) a.b.c.1/24 connect to w.x.y.0/24

Client2 192.168.1.0/24 Dynamic PAT (hide) a.b.c.2/24 connect to w.x.y.0/24

Client3 192.168.1.0/24 Dynamic PAT (hide) a.b.c.3/24 connect to w.x.y.0/24

Clientn 192.168.1.0/24 Dynamic PAT (hide) a.b.c.n/24 connect to w.x.y.0/24

At the beginning, I NAT the client's network to avoid that kind of problem and I don't anderstand why it is not working.

May I have to change the NAT type ?

Bronze

Re: NAT issue with VPN Site ti Site (Remote LANs with IP address

Hi Laurent,

I'm afraid the ASA is not built to do something like that. Even If you manage to configure several nat rules so that the remote VPN addresses are mapped to different address ranges on your inside the ASA will have dificulties to decide, which of the identical remote networks are be chosen.

On IOS you can do something like that, the features you might want to take a look at are VTI, vrf-light and vrf-aware NAT. The VTI is a tunnel interface which represents an IPsec connection to one of your customers and is associated with a vrf. The nat configuration just needs to adress the vrf in addition to the outside-global, outside-local addresses, ip nat inside/outside on the interfaces as usual. The classical crypto map is replaced by tunnel-src/dst and a tunnel protection profile.

That's the best I can think of...

MiKa

New Member

Re: NAT issue with VPN Site ti Site (Remote LANs with IP address

Hi Mika

I don't understand why the ASA has diffuculties to decide which remote networks to choose because the NAT IP address a.b.c.x is affect to just one client which is in only one crypto-map

Fron client

Client1 192.168.1.0/24 Crypto-map1 Dynamic PAT (hide) a.b.c.1 connect to w.x.y.x

Client2 192.168.1.0/24 Crypto-map2 Dynamic PAT (hide) a.b.c.2 connect to w.x.y.x

From my side

w.x.y.x response to a.b.c.1 in Crypto-map1 to 192.168.1.0/24 (Client1) 

w.x.y.x response to a.b.c.2 in Crypto-map2 to 192.168.1.0/24 (Client2)

The solution with VTI and VRF seems (to me) complicated to operate.

Laurent

571
Views
0
Helpful
4
Replies
CreatePlease to create content