We help IT Professionals succeed at work.

NAT Remote VPN traffic in ASA

rijukl
rijukl asked
on
I have 3 sites all connected tunneled via ASA. Site B accepts incoming only from a certain IP subnet - 10.173.18.0\24
My VPN client pool for Site A is 10.20.0.0. I can't change the pool for some reason. How do I NAT my VPN client pool in Site A so that Site B sees traffic coming in from 10.173.18.1
I am running ASA OS 8.4 which makes it more difficult to understand.
Comment
Watch Question

Network Architect
Commented:
There are a couple of options, but my concern is whether 10.173.18.0/24 already exists somewhere.  If it does, NATing your VPN pool to that subnet seems like a generally bad idea.  Maybe you can PAT to a single address in that range and it would work.  You can't expand the ACL on Site B to permit 10.20.0.0 traffic as well?  This seems to me like a much better idea.

If you really want to go down the NAT road, there are several documents out on the web about how to configure it, and how 8.3 and later differs from 8.2 and earlier.  I think the best is https://supportforums.cisco.com/docs/DOC-9129 but if you can't get to that try  http://osimatrix.wordpress.com/2011/03/29/cisco-asa-8-3-basic-nat-guide-simple-yet-practical-overview/ or http://www.thenetworker.co.uk/blog/?p=1
Commented:
PAT to a single address (10.173.18.1) is what I want.
Unfortunately, Site B is a customer site and they won't allow 10.20 network.
The links you gave me are great and has given me a good start. I will review them, apply and let you know soon.

Author

Commented:
thanks. your links really helped.
I could PAT it to the IP I wanted and got it working. Cisco has messed up the commands big time in 8.4 and I am having a tough time interpreting them. All these were so easy in 8.2.