I have an asa 5520, and currently the box is pimarily setup for vpn remote access scenario. The IP adresses for the remote clients are lets say in the range 192.168.1.0/24 , assigned by Radius.
I currently have a no nat configuration, because I don?t need nat so far.
Now I would like to setup multiple vpn site to site connections on the same box, and I would like to hide each vpn tunnel "customer" behind a single IP, so in my understanding I would like to make PAT.
The "customerA" should hide behind 192.168.1.129/25, CustomerB behind 192.168.1.130/25 usw.
In my understanding I need a nat 0 statement for no nat?ing the remote vpn users, and a nat 1 entry for nat ?ing the vpn tunnel customer, and hide them.
Could anyone please give me some help and an example with this nat/pat issue.
Okay, that might be a problem. if you wanted to translate all customer source IP addresses to one of your 192.168.1.x/25 addresses then this would be relatively easy.
But it sounds from your answer that you want to present the customer network to your VPN clients as one IP address. This assumes that the connection will be intiated FROM your VPN clients.
And this is the problem. Lets say for arguments sake that one of your customer networks is 172.16.5.0/24. Additionally, within that network your vpn clients want to intiate connections to 172.16.5.10,11,20 & 50.
Now you present the whole 172.16.5.0/24 network as 192.168.1.130. A vpn client wants to talk to 172.16.5.20 and so it sends a packet to 192.168.1.130. How does the firewall know which 172.16.5.x address the vpn client wants to talk to.
The answer is it doesn't. For each of the 172.16.5.x hosts within the customer network you would need to use a 192.168.1.x address to present it to your internal vpn clients.
Note that if the connections are always initiated from the customer network then you can hide all their IP addresses being one of your 192.168.1.x addresses.
I have vpn clients that will be assigned an IP address from the pool 192.168.1.1-126, and they should be able to access my cooperate network without any nat translation. So I assume I need a nat0 statement.
Then I have site2site customers connected to my cooperate network, and I would like to hide each seperate customer behind a seperate ip address, from the pool 192.168.1.129-254.
I my understanding I need a pat statement, that means an additional nat 1 entry.
Now I get confused with this two nat entries nat0 and nat1 , and I could not figure out how to do this.
The vpn clients usually will not talk to the customer sit to site vpn.
I have the net A that should not be translated, and I have ip addresses from pool B, that should hide customer networks, so that the source ip gets behind a nated ip.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :