Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN with NAT on ASA5505

I have a corporate network with 192.168.200.0/24, 192.168.100.0/24 and 192.168.201.0/24. We need to establish VPN tunnels to several sites and each has the same network locally, 192.168.0.0/24. I am able to get one connected via site to site VPN tunnel but without NAT.Incidentally, each remote site is a Sonicwall TZ170 to 210 model.

What do I need to do to NAT every remote site so that they can reach our servers at 192.168.200.x/24 and we can reach their servers at 172.16.100.x/24? We need to be able communicate bi-directionally and servers at either end need to be statically addressable.

Below is part of the config

ASA Version 8.0(4)

...

name {removed IP} Firewall-FAY description Fayetteville NC Sonicwall TZ180 Firewall
name 192.168.0.0 FAYLAN
...

access-list outside_dyn extended permit ip 192.168.200.0 255.255.255.0 12.12.12.0 255.255.255.0
access-list split extended permit ip 192.168.200.0 255.255.255.0 12.12.12.0 255.255.255.0
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 12.12.12.0 255.255.255.0
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 FAYLAN 255.255.255.0
access-list guest->internal extended deny ip 192.168.200.0 255.255.255.0 10.255.255.0 255.255.255.0
access-list mbnav_splitTunnelAcl extended permit tcp host 192.168.200.5 12.12.12.0 255.255.255.0 eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 FAYLAN 255.255.255.0

...

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest-wlan) 1 10.255.255.0 255.255.255.0
static (inside,outside) tcp interface 3389 192.168.200.3 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.200.4 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.200.3 ftp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.200.4 https netmask 255.255.255.255
access-group in->out in interface outside
route outside 0.0.0.0 0.0.0.0 {removed external IP} 1

..

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer Firewall-FAY
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 2147483647
crypto map outside_map 65535 ipsec-isakmp dynamic DYNO
crypto map outside_map interface outside

1 REPLY
Cisco Employee

Re: VPN with NAT on ASA5505

Since the remote ends are the one who does not have unique subnet, the NATing needs to be done on the remote end. It can not be done on this ASA end. Because as far as ASA is concern, the remote subnets are all the same subnet if they are all in 192.168.0.0/24 subnet, and there are no way to differentiate between them.

219
Views
0
Helpful
1
Replies
CreatePlease to create content