192.168.1.0(inside) on ASA1 ===VPN1 tunnel=== 192.168.0.0(inside) on ASA2 ===VPN2 tunnel === 10.0.0.0(inside) on ASA3
VPN1 a nd VPN2 are configured on same outside interface in ASA2 (184.108.40.206)
VPN1 connect internal networks 192.168.1.0 and 192.168.0.0 only
VPN2 connect internal networks 192.168.0.0 and 10.0.0.0 only
ASA3 is in HQ and I have limited possibilities to configure it. There are connected another 10 site to ASA3 and one of this site has 192.168.1.0 (may be VPN3)
So, I would like traffic from IP 192.168.1.142(on ASA1) to 10.10.1.1(ASA3). Can I do some NAT in ASA1 or ASA2 (or both) that IP 192.168.1.142 will be NATed to for example 192.168.0.142(internal of ASA2) ? System 10.10.1.1 will see 192.168.0.142 not real 192.168.1.142.
Can somebody help me ? I try to find similar example but without succes.
Ok, You did not mention that you have overlap IP here.
Yes, you can NAT 192.168.1.142 to 192.168.0.142 at ASA1.
To be clarify, both VPN1 and VPN2 are terminated on the same interface on ASA2.
If this is the case, the method in my first post is still applied since you have a U-turn traffic here.
Since NAT go before crypto, in your crypto map ACL, you have to use 192.168.0.142 instead of 192.168.1.142.
Also, do not include 192.168.1.142 to 10.10.1.1 in the ACL for NAT 0.
one more thing, since 192.168.0.142 is in the same subnet of ASA2 inside interface, I am not sure if it might cause anything or not. You should not disable arp proxy on ASA2 inside interface (enabled by default if I remember correctly)
If it still does not work, I would like to suggest ot use another NATed IP.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...