Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN and NAT with 3 ASA

I have this situation:

192.168.1.0(inside) on ASA1 ===VPN1 tunnel=== 192.168.0.0(inside) on ASA2 ===VPN2 tunnel === 10.0.0.0(inside) on ASA3

VPN1 a nd VPN2 are configured on same outside interface in ASA2 (212.65.218.190)

VPN1 connect internal networks 192.168.1.0 and 192.168.0.0 only

VPN2 connect internal networks 192.168.0.0 and 10.0.0.0 only

ASA3 is in HQ and I have limited possibilities to configure it. There are connected another 10 site to ASA3 and one of this site has 192.168.1.0 (may be VPN3)

So, I would like traffic from IP 192.168.1.142(on ASA1) to 10.10.1.1(ASA3). Can I do some NAT in ASA1 or ASA2 (or both) that IP 192.168.1.142 will be NATed to for example 192.168.0.142(internal of ASA2) ? System 10.10.1.1 will see 192.168.0.142 not real 192.168.1.142.

Can somebody help me ? I try to find similar example but without succes.

Josef

Everyone's tags (1)
3 REPLIES

Re: VPN and NAT with 3 ASA

Here is an close example which I found.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Basically, you need to do the following.

1. on ASA1, you need and an entry in ACL for both crypto map and Nat 0 to include traffic between 192.168.1.142 to 10.10.1.1

2. on ASA3, you need and an entry in ACL for both crypto map and Nat 0 to include traffic between  10.10.1.1 to 192.168.1.142

3. on ASA2, you need the following

- same-security-traffic permit intra-interface

- in ACL of crypto map for tunnel 1, you need permit 10.10.1.1 to 192.168.1.142

- in ACL of crypto map for tunnel 2, you need permit 192.168.1.142 to 10.10.1.1

New Member

Re: VPN and NAT with 3 ASA

Thanks for your reply.

May be that I I don't exlain exactly my situation because

entry in ACL for both crypto map and Nat 0 to include traffic between  10.10.1.1 to 192.168.1.142

is not suitable. This is may situation more detail:

192.168.1.0(inside) =VPN1= 192.168.0.0(inside) =VPN2= 10.0.0.0(inside) =VPN4= 192.168.1.0(inside)

      ASA1                                 ASA2                                       ASA3                                   AS4

I need connection from system 192.168.1.142 from inside LAN of ASA1 to system 10.10.1.1 in inside LAN of ASA3.

ASA3 has connection to whole LAN 192.168.1.0 by tunnel VPN4.

My questin is if possible to do NATed connection (LAN overlap) for one system from inside LAN of ASA1 to inside LAN of AS3.

192.168.1.142 ------------------------NATed to 192.168.0.142------------------------>10.10.1.1

system 10.10.1.1 will comunicate with 192.168.0.142 which is NATed in ASA2 or ASA1 back to 192.168.1.142

192.168.1.142 <-----------------------192.168.0.142 NATed back to 192.168.1.142 <-------------------- 10.10.10.1.1

Josef

Re: VPN and NAT with 3 ASA

Ok, You did not mention that you have overlap IP here.

Yes, you can NAT 192.168.1.142  to 192.168.0.142 at ASA1.

To be clarify, both VPN1 and VPN2 are terminated on the same interface on ASA2.

If this is the case, the method in my first post is still applied since you have a U-turn traffic here.

Since NAT go before crypto, in your crypto map ACL, you have to use 192.168.0.142 instead of 192.168.1.142.

Also, do not include 192.168.1.142 to 10.10.1.1 in the ACL for NAT 0.

one more thing, since 192.168.0.142 is in the same subnet of ASA2 inside interface, I am not sure if it might cause anything or not. You should not disable arp proxy on ASA2 inside interface (enabled by default if I remember correctly)

If it still does not work, I would like to suggest ot use another NATed IP.

221
Views
0
Helpful
3
Replies