Skip to main content

[HELP] Configure NAT-PAT on ASA

More
15 years 10 months ago #28054 by pipos
[HELP] Configure NAT-PAT on ASA was created by pipos
Hi guys,
we have configured a VPN tunnel l2l, now we would like to translate our inside network (172.16.201.0/24) in a single IP (like 192.168.1.99).
In this way, the network peer look only one host.

This is possible??? How???

OUR TOPOLOGY_______________________
File Attachment:



TIA!!!!
More
15 years 10 months ago #28098 by r0nni3
Replied by r0nni3 on topic Re: [HELP] Configure NAT-PAT on ASA
Yes this is possible. I'm not sure if this will work but i can make you an example configuration for the NAT process.

access-list vpnnat permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
!
global (outside) 25 192.168.1.99
!
nat (inside) 25 access-list vpnnat

This will get you a many to one translation. Wich i experienced to be a bit problematic so you might be better off using a one to one translation. That would look like this.

access-list vpnnat permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
!
static (inside,outside) 192.168.1.0 access-list vpnnat

The last configuration has proven to be the most stable (at least from my experience).

*edit* Not sure if i should tell you this but just to make sure. Make sure you use the NATed subnet in the access-list to permit traffic over the tunnel on the other side.


Ron.
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
15 years 10 months ago #28119 by pipos
Replied by pipos on topic Re: [HELP] Configure NAT-PAT on ASA
Thank foer your response.
But the translation is one-to-one.

The problem is ESP that cannot support PAT over VPN tunnel because is a layer 3 protocol and don't have a specific field for port tcp/udp.

Best regards
Time to create page: 0.118 seconds