Search this Blog

Monday, September 13, 2010

Source NAT Configuration - How do we configure the ASA5510 on my side to create the tunnel ?

We need to set up a vpn tunnel to a remote site. Both our location and the remote location use the 10.x.y.z address scheme. The remote end offered up a 172.16.6.0/27 net for a destination network. How do we configure the ASA5510 on my side to create the tunnel as if it were coming from the 172.16.6.0/27 network? Our subnets are 10.10.20.0/24, 10.10.30.0/24, and 10.2.1.0/24. We already have a network object group containing these networks. We've created many vpn's in the past, but this is the first time I've had to contend with destination subnets that overlap ours.

  • If both sides overlap, you can NAT the subnet on both sides.You translate one side to subnet A and the other side to subnet B, so the communication is establish between subnets A and B.
  • The easiest way to do this is to translate the source address (this means the NAT is done on the source VPN device, not on the terminating device). In other words, if your ASA needs to see the remote overlapping 10.x.x.x as 172.16.x.x, it's better that you NAT on the other end.
  • If the tunnel is bi-directional, you have to NAT on both ends the reason being...
Site A LAN 10.1.1.0/24

Site B LAN 10.1.1.0/24

  • If you establish the tunnel between both sites it will come up. But, when Site A 10.1.1.x tries to talk to 10.1.1.y on the other side, it will think the traffic should stay locally and not send it through the tunnel. If you only NAT for example on Site A, so Site A will be translated to 10.2.2.0/24.Then, still Site A will originate a packet destined to 10.1.1.y to get to the other side of the tunnel and the same thing will happen. This is why you should NAT on both ends.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */