Saturday, June 20, 2009

How to NAT VPN Traffic on a Cisco ASA

I couldn't find any clear information on the Internet about this, so I thought I would outline it here. Say you have to setup a LAN-to-LAN VPN to a third party who can't accept traffic from the subnet you have created on your internal network because your network overlaps with theirs, or as in my case, they just want one address coming over to their network. The answer is to NAT that VPN traffic using a non-overlapping IP address.

Let's say we have the following parameters:

Your Network: 172.20.30.0/24
Their Network: 172.20.31.0/24
Host you need access to on the other side: 172.20.31.110

Simplistic example but you get the idea. You need to access the host address above to run a certain application. The 3rd party also provides you with the address they want you to use for your NAT.

IP Address Provided by 3rd Party: 192.168.35.17

OK so you know you have to make all of your traffic look like it is coming from 192.168.35.17 to make this VPN work, but the question is how. This is where I got stuck. There are very few articles on the web that deal with this situation and I had to end up piecing the eventual answer together from several different articles. But here you go:

First, create an access-list that will allow your traffic coming from your network to access the host on the 3rd party network

access-list VPN permit ip 172.20.30.0 255.255.255.0 host 172.20.31.110

Next, create an access-list that will allow the NAT address to access the host on the 3rd party network

access-list VPN_NAT permit ip host 192.168.35.17 host 172.20.31.110

Now create a NAT statement that flags traffic coming from your network heading to the 3rd party host

nat (inside) 20 access-list VPN

Next create a GLOBAL statement that NATs the traffic flagged as interesting in the above statement into the address provided by the 3rd pary

global (outside) 20 192.168.35.17

Finally create a crypto map statement in your VPN configuration that flags the necessary traffic as interesting so the VPN knows when to start

crypto map testmap 120 match address VPN_NAT


After performing the above steps, if you ping the address 192.168.35.17, you should be able to see your VPN start up and after a brief delay you should get replies.
Posted by at

1 comment:

  1. UnknownNovember 27, 2013 at 1:24 PM

    I Appreciate your article and your time to explain this. As you mention this is not very clear on the internet. Thanks it worked for me. I did it a while and I forgot how to replicate, this helped me to accomplish the task.

    ReplyDelete

Subscribe to: Post Comments (Atom)