Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client pool NAT

OS - 8.3

vpn client pool - 10.10.10.0\24

Remote network across L2L - 20.20.20.0/24

The remote network (20.20.20.0/24) accepts traffic only from 30.30.30.0/24

I cannot use 30.30.30.0/24 as my dhcp pool because it is too small and I have a much wider userbase.

How do I do the translation to accomplish this?

4 REPLIES
Cisco Employee

Re: VPN client pool NAT

Go through this and modify your configuration as needed.

https://supportforums.cisco.com/docs/DOC-11640

New Member

Re: VPN client pool NAT

I have already seen this. There is no translation required in the example shown whereas I need NAT translation.

I want vpn client pool (10.10.10.0/24) to translate to accepted IP by remote ASA (30.30.30.30/32) and no-nat tunnel to Remote ASA L2L(20.20.20.0/24)

New Member

Re: VPN client pool NAT

I am stuck here. any idea how to achieve this?

Cisco Employee

Re: VPN client pool NAT

Hi,

The commands would be as below:


object net POOL

network 10.10.10.0 255.255.255.0

object net REM_L2L

network 20.20.20.0 255.255.255.0

object host NAT_IP

host 30.30.30.30

nat (outside,outside) source dynamic POOL NAT_IP destination static REM_L2L REM_L2L

this should NAT your VPN clients to 30.30.30.30 when accessing the remote L2L. I am assuming you have all the U-turning commands already in place based on the above document. Please note that the crypto ACL in this case would be:

Local ASA:

from 30.30.30.30 to 20.20.20.20/24

On remote end:

from 20.20.20.0/24 to 30.30.30.30.

On the split tunnel ACL for VPN client (if there is one), ensure to add the network 20.20.20.0/24.

Let me know how it goes!!

Cheers,

prapanch

745
Views
0
Helpful
4
Replies