Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 703
  • Last Modified:

Cisco ASA 5510 Site to site VPN tunnel but remote site has same network - need to NAT

Hi everyone,

So here's the scenario - both sites are using Cisco ASA 5510 - I've got the tunnel up but need to know how to configure a solution for this issue:

- Remote site needs access to monitor equipment on our network however remote site has an internal network using the exact same address space

- Remote site would like us to NAT to network so that any requests made to my 172 network would come back to that 10 network

- Asked our support people how this could be done (preferably in GUI as I'm not very strong in CLI on ASA) here's what they came back with.

access-list RemoteSite-NAT extended permit ip
static (inside,outside) access-list RemoteSite-NAT
access-list RemoteSite-VPN extended permit ip

Open in new window

Does this look like a proper solution? If the remote side is trying to ping a device on my 172 network what would he use to ping - OR Do I need to make any changes to my switches to allow this traffic through? (I wouldn't think so as the ASA should be doing all the translation but...)

Thanks in advance!
  • 2
1 Solution
I don't think it is proper solution.

Here is example of the config just like the one you need:

Substitute IP addresses with yours and that should be it.

Sorry, I overlooked that you are using VPN, so you need static policy NAT, so configuration from your support people is correct.
My apologies!

Answer to your other question is, as he sees you by that IP in his network. Above sequence of commands says this:
When you are trying to reach network from your network, translate address to (translation is one-to-one).

You don't need to change anything on switches, only if you have router behind ASA you will need to put static route:
ip route <IP of ASA's inside interface>

Once again my apologies for previous incorrect answer!

ITGeneralAuthor Commented:
Thanks Fidelius, no worries about first comment as I didn't get around to looking at this until Monday morning anyway.

Haven't been able to fully test this new setup yet as we've been having issues with the tunnel itself for one reason or another. So once we get that ironed out I'll post back here if there's any issues but I agree that this should work just fine.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now