Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 703
  • Last Modified:

Cisco ASA 5510 Site to site VPN tunnel but remote site has same network - need to NAT

Hi everyone,

So here's the scenario - both sites are using Cisco ASA 5510 - I've got the tunnel up but need to know how to configure a solution for this issue:

- Remote site needs access to monitor equipment on our 172.16.5.0 network however remote site has an internal network using the exact same address space

- Remote site would like us to NAT to 10.50.48.0 network so that any requests made to my 172 network would come back to that 10 network

- Asked our support people how this could be done (preferably in GUI as I'm not very strong in CLI on ASA) here's what they came back with.

access-list RemoteSite-NAT extended permit ip 172.16.5.0 255.255.255.0 10.50.48.0 255.255.255.0
static (inside,outside) 192.168.150.0 access-list RemoteSite-NAT
access-list RemoteSite-VPN extended permit ip 192.168.150.0 255.255.255.0 10.50.48.0 255.255.255.0

Open in new window


Does this look like a proper solution? If the remote side is trying to ping a device on my 172 network what would he use to ping - 192.168.150.1 OR 10.50.48.1? Do I need to make any changes to my switches to allow this traffic through? (I wouldn't think so as the ASA should be doing all the translation but...)

Thanks in advance!
0
ITGeneral
Asked:
ITGeneral
  • 2
1 Solution
 
FideliusCommented:
I don't think it is proper solution.

Here is example of the config just like the one you need:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html#wp1082664

Substitute IP addresses with yours and that should be it.

Regards!
0
 
FideliusCommented:
Sorry, I overlooked that you are using VPN, so you need static policy NAT, so configuration from your support people is correct.
My apologies!

Answer to your other question is 192.168.150.1, as he sees you by that IP in his network. Above sequence of commands says this:
When you are trying to reach network 10.50.48.0/24 from your network 172.16.5.0/24, translate 172.16.5.0/24 address to 192.168.150.0/24 (translation is one-to-one).

You don't need to change anything on switches, only if you have router behind ASA you will need to put static route:
ip route 10.50.48.0 255.255.255.0 <IP of ASA's inside interface>

Once again my apologies for previous incorrect answer!

Regards!
0
 
ITGeneralAuthor Commented:
Thanks Fidelius, no worries about first comment as I didn't get around to looking at this until Monday morning anyway.

Haven't been able to fully test this new setup yet as we've been having issues with the tunnel itself for one reason or another. So once we get that ironed out I'll post back here if there's any issues but I agree that this should work just fine.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now