Solved

Lan 2 Lan vpn Cisco ASA 5505 with NAT

Posted on 2009-04-05
6
1,234 Views
Last Modified: 2012-05-06
Hi all

i am currently trying to configure a LAN 2 LAN (site to site) vpn between a cisco ASA 5505 and a cisco 3845 router. I only have access to the ASA.

I usually just use the site to site vpn wizard and it works great but now the other guy (on the 3845) is asking me to enable NAT before the encryption (config will be like this : inside--NAT--cryptomap--L2L--cryptomap--NAT--inside).

I am not quite proficient with this kind of configuration. Can someone help?

Thx in advance

0
Comment
Question by:inf2300
  • 4
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
cosmicfox earned 500 total points
ID: 24072808
You can do this by breaking it down into two steps, first configure your nat rule so lets say your source ip is 192.168.1.x and you need to nat to 10.1.1.x, setup your nat rule according. Then when you setup your site to site the source ip will be your natted ip of 10.1.1.x. The way it works is a nat rule will be kicked off before the ipsec will send the traffic over the tuennl.

Hope this helps, let me know if you need any more information.
0
 

Author Comment

by:inf2300
ID: 24073166
So the nat will get executed before it encrypts the traffic?

Thx for the info, I will try that tomorrow
0
 
LVL 6

Assisted Solution

by:cosmicfox
cosmicfox earned 500 total points
ID: 24073373
Yes nat is done before crypto. here is a link to the order of operation.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml 
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:inf2300
ID: 24079839
So how should the nat configurations and access-list go?

Lets say these are my different ranges

inside range : 192.168.2.0/24
my public ip : 5.5.5.5

their peer ip : 6.6.6.6
their inside public ip range : 138.11.16.0/24
their inside range : unknown

So if I get this right, the other guy has this setup : (6.6.6.6)router-----(138.11.16.0/24)firewall------(unknown private range)inside

He told me to NAT my subnet first for security reasons...

I understand the principles, just not sure how to apply it...

Usually, I just exempt the 2 protected subnet from the NAT...



0
 

Author Comment

by:inf2300
ID: 24080124
nevermind I just figured it out and make it work
0
 

Author Comment

by:inf2300
ID: 24080306
thx for your help!!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question