Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN tunnel and NAT

Hi. I'm trying to establish a LAN-to-LAN IPSec VPN tunnel from my ASA5510 to another network but hit a little snag. My counterpart on the other side informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can't create the tunnel.

I was wondering is there a way to use NAT on the VPN tunnel so that the traffic that goes from my network on the VPN tunnel gets translated and my counterpart on the other side sees this translated IP range?

Thanks in advance for any help.

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: VPN tunnel and NAT

Hi

Yes you can use the same address as you already use for internet access.

Just update your crypto access-list to reflect the new address and make sure the third party does the same.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: VPN tunnel and NAT

Hi

Yes this is perfectly possible. What you need to do is NAT your source IP addresses to some other address and then modify your crypto access-list. So for example let says your original setup looks like this

your network 192.168.5.0/24

remote network 172.16.5.0/24

your crypto access-list would look like

access-list vpntraffic permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0

So you now NAT your 192.168.5.0/24 addresses to 192.168.20.1 ( this can be any address you and the 3rd party agree on)

You need to update your crypto access-list as such

access-list vpntraffic permit ip host 192.168.20.1 172.16.5.0 255.255.255.0

And the 3rd party needs to update their crypto map access-list as well.

HTH

Jon

New Member

Re: VPN tunnel and NAT

I think I get how it should work. But one thing still confuses me though as I am new with firewalls. I am already NATing the same range over the outside interface so they can access the internet using the IP address of the outside interface of the ASA. Could I use that existing NAT for the VPN tunnel towards the other company?

Hall of Fame Super Blue

Re: VPN tunnel and NAT

Hi

Yes you can use the same address as you already use for internet access.

Just update your crypto access-list to reflect the new address and make sure the third party does the same.

Jon

New Member

Re: VPN tunnel and NAT

Great, thanks for the fast response. So I can use the existing NAT or I can do a policy NAT for when the trafic goes to the other network over VPN tunnel. I think I got everything I need now.

225
Views
0
Helpful
4
Replies
This widget could not be displayed.