Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN - NAT Internal Network

Hello All,

     I have a site to site VPN setup (both sites have Cisco ASA's) where my internal network is 192.168.1.0/24 and the other site's internal network happens to have the exact same internal network. Is there a way that I can NAT my internal address to 172.18.1.0/24 and have that work? It should then allow both sites to successfully communicate. Thank you.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Site to Site VPN - NAT Internal Network

Hi,

You will have to NAT at both ends of the L2L VPN connection. This is because even if you NAT the other end to a different network it will still mean that this site would have to connect to a destination address that is seemingly in its own network and the connections would fail.

The configuration format depends on your ASAs software level

Software 8.2 (and below)

access-list L2LVPN-POLICYNAT remark Policy NAT for L2L VPN

access-list L2LVPN-POLICYNAT permit

static (inside,outside) access-list L2LVPN-POLICYNAT

Software 8.3 (and above)

object network LAN

subnet

object network LAN-NAT

subnet

object network REMOTE

subnet

nat (inside,outside) source static LAN LAN-NAT destination static REMOTE REMOTE

Do notice to use the correct networks in the above statements. The destination network in the configurations is naturally the NAT network the other site is using.

In the same say you will have to make sure that your L2L VPN connections Crypto ACL uses the local NAT network as the source and the remote NAT network as the destination.

Hope this helps

- Jouni

2 REPLIES
Super Bronze

Site to Site VPN - NAT Internal Network

Hi,

You will have to NAT at both ends of the L2L VPN connection. This is because even if you NAT the other end to a different network it will still mean that this site would have to connect to a destination address that is seemingly in its own network and the connections would fail.

The configuration format depends on your ASAs software level

Software 8.2 (and below)

access-list L2LVPN-POLICYNAT remark Policy NAT for L2L VPN

access-list L2LVPN-POLICYNAT permit

static (inside,outside) access-list L2LVPN-POLICYNAT

Software 8.3 (and above)

object network LAN

subnet

object network LAN-NAT

subnet

object network REMOTE

subnet

nat (inside,outside) source static LAN LAN-NAT destination static REMOTE REMOTE

Do notice to use the correct networks in the above statements. The destination network in the configurations is naturally the NAT network the other site is using.

In the same say you will have to make sure that your L2L VPN connections Crypto ACL uses the local NAT network as the source and the remote NAT network as the destination.

Hope this helps

- Jouni

New Member

Site to Site VPN - NAT Internal Network

Thank you, this has been very helpful. Hopefully I won't break anything!

- Gabe

202
Views
0
Helpful
2
Replies
CreatePlease to create content