Announcement

Collapse
No announcement yet.

Cisco ASA 5510 - Perform NAT on VPN Tunnel

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5510 - Perform NAT on VPN Tunnel

    Hello,
    I have to setup a Site to Site VPN Tunnel with a partner (Partner A).Partner A uses subnet 10.1.0.0/16.
    But we already have another tunnel with another Partner (Partner B) who uses the same subnet 10.1.0.0/16.

    How can I make both co-exist? I assume I have to use NAT, but I'm not sure how to implement it in this case.


    I'd be quite happy if I can use Natted addresses to access Client A.

    I mean :
    I keep using 10.1.0.0 to access partner B.
    And I could use IPs 10.2.x.y instead of 10.1.x.y to access servers at Partner A.
    Then route 10.2.0.0/16 through tunnel A, nat it to 10.1.0.0 and send to Partner A (and all his answers natted back to 10.2.0.0).

    Ideally, I'd like all IPs 10.2.x.y transformed to 10.1.x.y, but if I have to manually set a translation for each IP, I can do that too.


    Can anyone tell me how to achieve that or have any other solution ?

    N.B : Partner A also has a Cisco 5510 and if needed can add NAT rules on his side too(although I'd like to avoid it if possible)
    My own subnet is 192.16.1.0/24 so no issue there.

    Thanks in advance.

  • #2
    Re: Cisco ASA 5510 - Perform NAT on VPN Tunnel

    Yes you can use NAT; see for more info
    http://www.velocityreviews.com/forum...nnel-515e.html
    http://www.booches.nl/2009/01/14/pol...-cisco-router/
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Cisco ASA 5510 - Perform NAT on VPN Tunnel

      Thanks for this.
      I used policy NAT as advised, but can't get it to work.
      Here is an extract of the configuration of the remote ASA :

      name 10.1.1.0 VLAN2
      name 192.168.1.0 remote
      name 10.2.1.0 translation_for_remote
      access-list inside_nat_static extended permit ip VLAN2 255.255.255.0 remote 255.255.255.0
      static (inside,outside) translation_for_remote access-list inside_nat_static

      access-list outside_2_cryptomap extended permit ip VLAN2 255.255.255.0 remote 255.255.255.0

      The VPN Tunnel itself is OK. But I can't communicate with any machine at the remote site.
      For instance, there is a machine at the remote site with IP 10.1.1.34.
      From my network I ping 10.2.1.34, I see that the VPN tunnel connects, I can also see my packets going through the tunnel (Tx Packet counter on my side goes up), but nothing comes back from the remote side :
      The ping times out
      The Rx Bytes counter (on my firewall) stays at 0
      There is no error in the log of the remote firewall.

      Is there something wrong in my configuration? Am I missing something?
      What else can I do to throublshout the situation?

      Comment

      Working...
      X