Hi. I'm trying to establish a LAN-to-LAN IPSec VPN tunnel from my ASA5510 to another network but hit a little snag. My counterpart on the other side informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can't create the tunnel.
I was wondering is there a way to use NAT on the VPN tunnel so that the traffic that goes from my network on the VPN tunnel gets translated and my counterpart on the other side sees this translated IP range?
Yes this is perfectly possible. What you need to do is NAT your source IP addresses to some other address and then modify your crypto access-list. So for example let says your original setup looks like this
your network 192.168.5.0/24
remote network 172.16.5.0/24
your crypto access-list would look like
access-list vpntraffic permit ip 192.168.5.0 255.255.255.0 172.16.5.0 255.255.255.0
So you now NAT your 192.168.5.0/24 addresses to 192.168.20.1 ( this can be any address you and the 3rd party agree on)
You need to update your crypto access-list as such
access-list vpntraffic permit ip host 192.168.20.1 172.16.5.0 255.255.255.0
And the 3rd party needs to update their crypto map access-list as well.
I think I get how it should work. But one thing still confuses me though as I am new with firewalls. I am already NATing the same range over the outside interface so they can access the internet using the IP address of the outside interface of the ASA. Could I use that existing NAT for the VPN tunnel towards the other company?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...