• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 978
  • Last Modified:

ASA 5505 VPN tunnel nat translation

Hi All

I have a ASA 5505 that I have created a VPN tunnel to another site.  The tunnel is up but I need to change the IP address from our network side form a 192. to a 10. on their side for it to work.

Thanks
0
itsadmin1
Asked:
itsadmin1
  • 3
  • 2
  • 2
1 Solution
 
MikeKaneCommented:
SO you have a source network that is 192.0.0.0
You want to translate that to a 10.0.0.0
Then build a tunnel from 10.0.0.0 -> remote site network  y.y.y.y

To NAT the traffic before it hits the tunnel, you will need to use a Policy NAT.    Cisco has the example on how to set this up right here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

0
 
itsadmin1Author Commented:
Thanks for the link it was helpful

A little more detail.  On our site, we are a 192.168.0.X network our external ip address is 12.53.150.100
The site we will need to connect to is 69.144.38.48
 
We need to have it go from host to host meaning 192.168.0.97 --> 69.144.38.50 and they want our ip to be translated to 10.9.250.1
 
Thanks in advance
 
0
 
MikeKaneCommented:
Well, is 69.144.38.48 the other side's public IP?    If it is, you can't NAT your outbound traffic to be 10.9.250.1 and have it hit the public IP.  

If this is a VPN tunnel, then you just need to know the remote's internal Server IP so you can use that in the DESTINATION of the policy NAT setup.  

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
itsadmin1Author Commented:
yes the 69.144.38.48 is the other side's public ip.  The 69.144.38.50 is the internal server IP

Thanks
0
 
MikeKaneCommented:
Wait, so the firewall is using the same IP subnets for inside and outside?       Or is that 69.144.38.50 static NAT'd to an internal address?     If there is a VPN tunnel between the 2 sites, its the internal IP you would use to address it.
0
 
Boilermaker85Commented:
I think what you need to supply is a simple diagram or the two configs. the NAT can be done at either end, via PAT or static. But we need to know what globals and nats you already have in place and whether you have a no-nat currently setup, and what the encryption acl says. I have some examples of nating across VPN site-to-site. I do it all the time for partner connections to avoid overlapping address space. But it is hard to know what you want from your description.

FIrst, will all the IPs at your location access one server at the other side? (this usually calls for a PAT setup) or is it just a few at your side to one or two on their side? (this is usually done with statics.)
 You will also need to know the order of operations - NAT, encryption, routing - depending on which direction the traffic is going.  Inbound encrypted traffic is first decrypted, then NATed, then routed. Outbound traffic from y
0
 
Boilermaker85Commented:
your pc's toward the tunnel is first nated, then routed to the vpn interface, then encrypted. Outbound acl is checked before nat. Inbound traffic is perhaps checked against an acl after decrypting and before nat.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now