Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Question with L2L and NAT

Here is my dilemma:  


I have multiple remote sites that manage their own networks.   A lot of these remote sites carry the same private IP range (192.168.1.x).  I am wanting to take specific traffic, in which i specify, and route it towards an ASA thats placed at the remote site.    In that ASA I want to create a Lan-2-Lan tunnel to the head end (Central) site to where it can access it's destination IP's (servers, etc.).   

The problem is, I need to NAT somewhere in the stream since there will be multiple remote sites with the same ip scheme.   Therefore, I need to NAT them before they get to the head end site or I will struggle routing the traffic back to them.   I'm not sure where the NAT needs to take place.   I'm assuming I need to NAT it within the remote ASA before it traverses the outside connection (internet).    And if this is the case, how do I do the nat in the asa in order to translate each remote site into it's own subnet?

Hopefully this makes sense!  

Thanks again for all your help and knowledge!   You guys are pretty amazing!


Question with L2L and NAT

Yes incase remote sites having same IP address . You can nat them to change the identity this configuration will take place on remote sites.

access-list POLICY_NAT extended permit ip  

static (inside,outside)    access-list POLICY_NAT

access-list OUTSIDE_CRYPTOMAP extended permit ip < destination (HQ) >

Based on this on HQ site you can you can create crypto ACL inwhich  source would be HQ subnet and remote will be NAT IP subnet .



New Member

Question with L2L and NAT

Hey Ajay,

Thanks for the reply.   So, to complicate things a bit it possible to do the nat on the central side? 

For instance I have two remote agencies coming in as follows:

site a 172.16.1.x is trying to access a server at the central site 10.x.x.50

site b 172.16.1.x is also trying to access that same server.

My problem, i believe, is when site A comes inbound from the remote side to my central site asa, I can NAT it to a unique subnet in which i could route to in my internal network.  This part works.   However When site b comes in (with the same local addresses), what prevents site b from getting nat'd to site a's IP address?   And will it find its way back?

The only reason this is such an issue is that we do not have control of the remote agencies IP addresses nor do we have control of the remote equipment.   And the personnel at the remote agencies aren't always super tech savvy.  So i'm trying to find a way to which they have very little part in the configuration.

Any help you can offer or anyone for that matter, would be of great assistance!! 

Thanks again

CreatePlease to create content