• Advertisement

Bi-Directional Policy NAT

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.

Re:Bi-Directional Policy NAT

Postby Guest » Wed Dec 08, 2010 10:49 pm

access-list SiteB permit ip 10.128.0.0 255.128.0.0 Site A
nat (outside) 1 access-list SiteB outside
global (inside) 1 1.0.0.0 255.128.0.0

 

access-list SiteC permit ip 10.128.0.0 255.128.0.0 Site A
nat (outside) 2 access-list SiteC outside
global (inside) 2 2.0.0.0 255.128.0.0

 

Is this the problem that you e having?
You cannot define inbound Policy NAT for both sites on Site A, since both come from the same source network to the same destination
network.

The above configuration will translate Site B 10.128.0.0/9 to 1.0.0.0/9 when entering Site A, but it will overlap with the rule
for Site C.

 

For testing purpose to see if it works, you can define a portion of Site A for the VPN to Site B and another portion of Site A
for the tunnel to site C (so there won be overlapping and you can test if the Policy NAT works as intended).

 

Federico.

Guest
 

Advertisement

Re:Bi-Directional Policy NAT

Postby Guest » Wed Dec 08, 2010 11:36 pm

I can test as you suggest, I just wasn sure where to start with the conflicting documentation Ive read.

 

What if I give my ASA another public IP and have SiteB terminate to one IP and SiteC terminate the a different  IP? Would the configuration you provide still be valid and allow me to translate the same source addresses based on the different destination address?

 

Im so confused by Ciscos documentation. Ive read multiple documents numerous times and simply doesn clarfiy it in a way that is understandable to me. I passed my CCNA about 5 years ago and have been thrown into this current situation with the exit of our engieer. Im more of a Layer 2 guy and Ive had minimal exposure to VPN. I can throw together a site-to-site if I had to, Im just not sure how to deal with multiple customer VPNs with overlapping adddress.

 

Thank you for your help Federico.

Guest
 

Re:Bi-Directional Policy NAT

Postby Guest » Thu Dec 09, 2010 1:01 am

I agree with you 100% unfortunately documentation sucks!

If you give the ASA a different public IP on another interface and terminate the other tunnel there, you can still
use the configuration of Policy NAT on Site A and it should work.

 

Give it a try and let us know if you need further help.

 

Federico.

Guest
 

Re:Bi-Directional Policy NAT

Postby Guest » Thu Dec 09, 2010 1:08 am

Appreciate the help Federico. I should have the config live within a week and will update this post with the results.

Guest
 

Previous


  • Advertisement


Similar topics


Return to Virtual Private Networks

Who is online

Users browsing this forum: No registered users and 2 guests