I have a small conundrum I hope someone can help with! We currently have several different company sites (A to Y) connectiong to our network through site-to-site VPN tunnels on to our Cisco ASA 5550 running ASA 8.2(2). We also have a service (B) we access from our network using a site-to-site vpn tunnel established on the same firewall. We now need to allow the company sites (A to Y) to access the service (B), and they have to be NAT'd on the way through as the IP addresses clash with the service end!!
Can anyone lead me down the correct path for setting this up?? I am obviously ok with adding the company sites (A to Y) to the existing VPN to (B), that bit is relatively simple, it is the NAT which is causing me problems. I have allocated a /24 to use to dynamically NAT the company sites (A to Y) but am unsure how to implement this NAT.
Been stuck on other things but this is now a priority so any help greatly appreciated!! Here is the setup I have:
A Inside Networks: 10.128.0.0/16, 184.108.40.206/16
B RA VPN Clients: 172.17.2.0/24
C Site to Site VPN: 10.64.0.0/24, 10.65.0.0/24, 10.95.0.0/24, 10.96.0.0/24
D Site to Site VPN: 10.0.110.0/24
I would like B & C above to be able to get direct access to D. Because of other networks at D I am not able to pass C's traffic directly and need to NAT it on the firewall (will use 172.17.3.0/24 pool). What I am unsure about is where I need to put NAT rules and where I should be allowing traffic using ADSM (not so good with CLI). I believe all VPN's terminate in the middle of the firewall but I may be wrong?? Assuming they do then where would the access rules and NAT rule be placed in order to allow traffic back out across the D VPN?? I have allowed B & C across the VPN to D, do I need to allow D across the VPN's back to C addresses? Will I need to do anything on the RA VPN??
I have the following interfaces on the firewall:
I have attached my sanitised config (few names and passwords removed)
For reference if anyone has similar issues I had to allow the NAT range, not the pre-NAT addresses, across the VPN to Site D. I then had to edit the Routers on each of the C sites to allow D to access them.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...