Is this classed as hair pinning?

I didn't think you can route or/and nat traffic when and going from same interface?????

Yes, it is a 'hairpinning" application. Please see this nice blog post for lots more details. A briefer post talking about this exact application is here.

You will also need to use the command:

same-security-traffic permit intra-interface

Thanks.

Quick question,

Is it possible to NAT traffic which is sent from the VPN tunnel to a different address as it leave the source site?

E.g.

my lan is on 192.168.1.0/24 but when the vpn packet go over the vpn link I want them to be seen as a source of 192.168.200.0 /24.

But when they go over the internet to have a source of 192.168.1.0/24?

Thanks.

The answer in general is "yes".

The answer to your specific example is "no" - at least for the bit about how you want them to be seen on the Internet.

192.168.1.0/24 is a private (RFC 1918) netblock and will not be routed on the Internet as-is. Traffic on the Internet must have publicly routable addresses. Typically this is an address (or range of addresses) allocated to you by your ISP (or assigned directly to your company by one of the Regional Internet Registrars if you are big enough to qualify for a provider-independent network).

As far as how they are seen at the peer site within your company, yes - you can translate them into any address you want internally.

Hi Marvin,

Sorry what I meant was...

Is it possible to NAT traffic which is sent from the VPN tunnel to a different address as it leave the source site?

E.g.

my lan is on 192.168.1.0/24 but when the vpn packet go over the vpn link I want them to be seen as a source of 192.168.200.0 /24.

But when they go over the internet to have a source of 192.168.1.0/24 which is then has PAT of the outside public ip address?

Thanks.

Would I need a static cmd?

Does the static cmd take presence over a glocal nat statement?

Thanks

OK, I think I understand what you want.

Site A = 192.168.1.0/24 has a site-site VPN to site B.  All traffic from A-B you want to have 1-1 NAT to map it to 192.168.200.0/24.

Traffic from A to public Internet you want to go over that same A-B VPN tunnel but hairpin at Site B and leave on Site B's Internet connection using the Site B standard PAT public IP. You want the XLATE table in site B's ASA to show a particular flow as being mapped back to the site A 192.168.1.0/24.

Correct?

I think this should work, but am a bit far out along this logic branch.

You want an implementation of what's known as policy NAT at the Site B end of your VPN tunnel. Basically, "if destination is at site B, NAT one way. if destination is on the public Internet NAT another way"

Have a look at this CSC document or consult the Google for other examples of policy NAT.

Thanks,

I don't no about the xlate as I have not used it before.

But both lans are on the same subnet therefore they cannot communicate but I can add a static cmd which translates the address so both can ping using a static nat.

But I also would like all internet traffic from a certain host on site B to access the internet from site A. And all others host from site B to access internet via local public interface, I will try what you've said and let you know.

Thanks

Hi,

Refereing to my first question.

I understand the crypo map and nat outside statments.

Site B should have Crypto ACL -- source site B subnet destination -any

Site A should have crypto ACL---  Source any destination Site B subnet

Then NAT on ASA A for site B subnt to go out.

(outside, outside) 1 Site B intenal lan address

But would I need to NAT 0 any traffic, I guess on site B I would have to nat exempt the internet traffic going through the tunnel but how about on site A. As there is a static NAT would I need to nat exempt traffic from source internet and destination site B. i.e. have both nat exempt and static?

If I would to which nat 0 would i use, source internet destination site B, or would it be source outside interface ip address destination site B as the packets are natted by the outside interface on site A?

Thank you.