ASA 5505 VPN tunnel nat translation

Hi All

I have a ASA 5505 that I have created a VPN tunnel to another site.  The tunnel is up but I need to change the IP address from our network side form a 192. to a 10. on their side for it to work.

Thanks
itsadmin1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
SO you have a source network that is 192.0.0.0
You want to translate that to a 10.0.0.0
Then build a tunnel from 10.0.0.0 -> remote site network  y.y.y.y

To NAT the traffic before it hits the tunnel, you will need to use a Policy NAT.    Cisco has the example on how to set this up right here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
itsadmin1Author Commented:
Thanks for the link it was helpful

A little more detail.  On our site, we are a 192.168.0.X network our external ip address is 12.53.150.100
The site we will need to connect to is 69.144.38.48
 
We need to have it go from host to host meaning 192.168.0.97 --> 69.144.38.50 and they want our ip to be translated to 10.9.250.1
 
Thanks in advance
 
0
MikeKaneCommented:
Well, is 69.144.38.48 the other side's public IP?    If it is, you can't NAT your outbound traffic to be 10.9.250.1 and have it hit the public IP.  

If this is a VPN tunnel, then you just need to know the remote's internal Server IP so you can use that in the DESTINATION of the policy NAT setup.  

0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

itsadmin1Author Commented:
yes the 69.144.38.48 is the other side's public ip.  The 69.144.38.50 is the internal server IP

Thanks
0
MikeKaneCommented:
Wait, so the firewall is using the same IP subnets for inside and outside?       Or is that 69.144.38.50 static NAT'd to an internal address?     If there is a VPN tunnel between the 2 sites, its the internal IP you would use to address it.
0
Boilermaker85Commented:
I think what you need to supply is a simple diagram or the two configs. the NAT can be done at either end, via PAT or static. But we need to know what globals and nats you already have in place and whether you have a no-nat currently setup, and what the encryption acl says. I have some examples of nating across VPN site-to-site. I do it all the time for partner connections to avoid overlapping address space. But it is hard to know what you want from your description.

FIrst, will all the IPs at your location access one server at the other side? (this usually calls for a PAT setup) or is it just a few at your side to one or two on their side? (this is usually done with statics.)
 You will also need to know the order of operations - NAT, encryption, routing - depending on which direction the traffic is going.  Inbound encrypted traffic is first decrypted, then NATed, then routed. Outbound traffic from y
0
Boilermaker85Commented:
your pc's toward the tunnel is first nated, then routed to the vpn interface, then encrypted. Outbound acl is checked before nat. Inbound traffic is perhaps checked against an acl after decrypting and before nat.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.