IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Is a policy-based bi-directional NATs possible? I can find plenty of examples to handle a single bi-directional NAT but the Cisco documentation Ive read states that policy-based translates local addresses only. However, Ive read conflicting documentation from Cisco where it says any NAT besides NAT exemption can be configured for policy NAT. Ive spent numerous hours researching a configuration that could handle this but have come up empty. I would imagine Im not the first person to run into this, Ciscos documentation is just unclear to me. Site A will terminate L2L VPNs from Site B and Site C to an ASA 5520. Site A has no administrative control over B or C. Site B and C are choosing to expose their same overlapping private address space. Im no expert but forced into this by the unexpected exit of our Network Engineer. Can anyone provide assistance? I know that I need to:1. specify the address to be translated2. specificy the inside global to translate to I believe I accomplish this with:static (outside, inside) 172.17.1.1 10.128.0.0 netmask 255.128.0.0access-list 101 permit ip 10.128.0.0 255.128.0.0access-group 101 inside interface outside I believe Ill need to create route statements for this as well:route outside 10.128.0.0 255.128.0.0 12.126.x.x This satifies one VPN, but what about the Site C? Can I use policy NAT to map that customers 10.128.0.0/9 to say 172.17.2.2? I know the address space Im mapping to doesn handle the /9 being exposed to me, but Ill never exceed the range Im mapping it to. Once I know exactly how many IPs will be coming over the VPN, I will actually create a 1:1 translation as governed by our security policy. I hope Im on the right track here and have explained this in manner that isn too confusing. Any help? Im not even sure if a policy-based bi-directional NAT is possible based on the Cisco documentation Ive read. Help! ------------- (12.126.x.x) Site B (10.128.0.0/9)Site A ------------ WWW Cloud (ASA 5520) --------------(209.128.y.y) Site C (10.128.0.0/9)
Hi, What you do is Policy NAT on the remote sites: Site B: access-list PolicyNAT permit ip 10.128.0.0 255.128.0.0 Site Astatic (in,out) 188.8.131.52 access-list PolicyNATaccess-list VPN permit ip 184.108.40.206 255.128.0.0 Site A Site C: access-list PolicyNAT permit ip 10.128.0.0 255.128.0.0 Site Astatic (in,out) 220.127.116.11 access-list PolicyNATaccess-list VPN permit ip 18.104.22.168 255.128.0.0 Site A In Site B, we are translating network 10.128.0.0/9 to 22.214.171.124/9 when going to Site AIn Site C, we are translating network 10.128.0.0/9 to 126.96.36.199/9 when going to Site B In both sites, the VPN traffic is from the translated network to Site AIn Site A, you must send the VPN traffic to 188.8.131.52/9 and 184.108.40.206/9 when trying to reach Site B and Site Crespectively. Hope this helps, let me know. Federico.
If you only have control over Site A, then as you said you can do Policy NAT on Site A.It will be inbound Policy NAT, so that you translate Site B and Site C to a different IP when entering Site A network. Instead of NATing the traffic on Site B and Site C, you NAT the traffic when entering inbound on Site A. Federico.