Link to home
Start Free TrialLog in
Avatar of cisco20
cisco20Flag for United States of America

asked on

Site to Site VPN Nat question


I'm fairly new to asa natting while using vpn, I was wondering what best practice would be for natting in my case.
I'm thinking one to one static nat since I have 30 usable public ip's and was thinking about using one dedicated to connect to this vendor server. The "outside" ip the My CORP ASA is using can't be used as the natted ip can it?

I attached a diagram using random ip's

Avatar of MikeKane
Flag of United States of America image

The IP assigned to the ASA's outside interface can be used for outbound NATing.  

Use the commands:
"global (outside) 1 interface "
" nat (inside) 1"  

you should disable NAT altogether for a site-to-site tunnel.

the commands (making some assumptions on your config):

nat (inside) 0 access-list inside_nat_outbound
access-list inside_nat_outbound extended permit ip localsubnet netmask remotesubnet netmask

each ASA would have those commands.
Avatar of cisco20


Can you please ellaborate a little on why no NAT needed for my servers to communicate? Thanks.
Avatar of RustyZ32
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cisco20


Yes you are correct the connection is between 2 ASA's. I think I'll use the wizard for this setup before using the CLI to get a clearer picture.
Avatar of cisco20