No announcement yet.

ASA 5520, route a NATed network over VPN

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5520, route a NATed network over VPN

    Hello Everyone,

    I've researched this and tried to configure everything I can think of, using the ASDM only - but no luck. I hope someone out there is kind enough to help out

    ASDM 6.4(7), ASA 8.4(3)

    I have a Site-To-Site VPN working, now I need to NAT a second network through this VPN from one side.

    Site A has 172.27 /16
    Site B has 172.24 /16

    I want to add 192.168.90/24 to Site A without having to make any changes on Site B.

    Is it possible to set this up at all? Can it be done in the ASDM?

    I would be very grateful for some hints!

  • #2
    Re: ASA 5520, route a NATed network over VPN

    For a normal L2L vpn the change would have to happen on both sides as the Proxy ACL's (Interesting Traffic) would need to be updated on both sides as its part of Phase 2 negotiations when the IPSec SA's are established.

    Is the ASA terminating the the vpn and doing nat as well? You could possible nat the
    192.168.90/24 network to the 172.27/16 network as NAT happens before encryption. This way the remote endpoint will see traffic coming from the 172.27/16 subnet requiring no changes on remote side. This is more of a workaround then a solution and cisco does not recommend it (When the vpn and nat device are the same device) The better option is to update the vpn config on both sides. Typically I have only seen this done if both networks have overlapping subnets.

    Example Config:

    object network OBJ-

    object network OBJ-

    object network OBJ-

    nat (inside,outside) source static OBJ- OBJ- destination static OBJ- OBJ- (This is called Twice Nat on 8.3 and above, used to be called policy nat)
    Last edited by auglan; 21st June 2012, 16:07.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)