Bi-Directional Policy NAT

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

Re:Bi-Directional Policy NAT

Post by Guest » Wed Dec 08, 2010 11:49 pm

access-list SiteB permit ip 10.128.0.0 255.128.0.0 Site A nat (outside) 1 access-list SiteB outside global (inside) 1 1.0.0.0 255.128.0.0 access-list SiteC permit ip 10.128.0.0 255.128.0.0 Site A nat (outside) 2 access-list SiteC outside global (inside) 2 2.0.0.0 255.128.0.0 Is this the problem that you
e having? You cannot define inbound Policy NAT for both sites on Site A, since both come from the same source network to the same destinationnetwork.The above configuration will translate Site B 10.128.0.0/9 to 1.0.0.0/9 when entering Site A, but it will overlap with the rulefor Site C. For testing purpose to see if it works, you can define a portion of Site A for the VPN to Site B and another portion of Site Afor the tunnel to site C (so there won be overlapping and you can test if the Policy NAT works as intended). Federico.

Guest

Re:Bi-Directional Policy NAT

Post by Guest » Thu Dec 09, 2010 12:36 am

I can test as you suggest, I just wasn sure where to start with the conflicting documentation Ive read. What if I give my ASA another public IP and have SiteB terminate to one IP and SiteC terminate the a different  IP? Would the configuration you provide still be valid and allow me to translate the same source addresses based on the different destination address? Im so confused by Ciscos documentation. Ive read multiple documents numerous times and simply doesn clarfiy it in a way that is understandable to me. I passed my CCNA about 5 years ago and have been thrown into this current situation with the exit of our engieer. Im more of a Layer 2 guy and Ive had minimal exposure to VPN. I can throw together a site-to-site if I had to, Im just not sure how to deal with multiple customer VPNs with overlapping adddress. Thank you for your help Federico.

Guest

Re:Bi-Directional Policy NAT

Post by Guest » Thu Dec 09, 2010 2:01 am

I agree with you 100% unfortunately documentation sucks!If you give the ASA a different public IP on another interface and terminate the other tunnel there, you can stilluse the configuration of Policy NAT on Site A and it should work. Give it a try and let us know if you need further help. Federico.

Guest

Re:Bi-Directional Policy NAT

Post by Guest » Thu Dec 09, 2010 2:08 am

Appreciate the help Federico. I should have the config live within a week and will update this post with the results.

Post Reply