aryobaPremium,MVM
join:2002-08-22
kudos:1 | First thing first. You have to use NAT-ed IP subnets that have minimal to no chance to be used within either your or your client's network. Private IP subnets are in general poor choices since such subnets have a chance to be used internally somewhere within either your or your client's network.
Public IP subnets should be the best choice since with Public IP subnets, there are no chance of duplicate IP addresses take place on either your or your client's network. Furthermore, you can use Public IP subnets to route over the Internet directly without IPSec VPN tunnel as a backup in case the IPSec VPN tunnel is unusable or down.
There are several ways to come up with Public IP subnets such as the following.
1. Both you and your client purchase or lease Public IP subnets from your ISP
2. You purchase two separate Public IP subnets to use from ISP. One Public IP subnets you purchase from your own ISP for your network and one Public IP subnets you purchase from your client's ISP on behalf of your client as part of the business agreement
You may want to discuss this avenue with your supervisor to see if this is doable. |
| reply to PS3
Yes, you can use nat. Assuming you only need help with the nat part, here is what I would do:
First determine what your NAT space will be. You will need an address block or "network" for each site. Say that you currently use 192.168.0.0/16 at both sites. For site 1, you would pick a network block big enough for all hosts that you will need to communicate with on the other network. For the sake of this discussion, you use 10.0.0.0/16 for SITE A, and 10.1.0.0/16 for SITE B
object-group network natforsiteb
network-object 10.1.0.0 255.255.0.0
access-list myvpntositeb extended permit ip 10.0.0.0 255.255.0.0 object-group natforsiteb
crypto map vpn 10 match address myvpntositeb
If you have specific static nats, they would be:
access-list VPNBNAT1 extended permit ip host 192.168.0.1 10.1.0.0 255.255.0.0
static (inside,outside) 10.0.0.1 access-list VPNBNAT1
If you want to do a hide nat, where you hide your entire network behind an address, it would be:
access-list hidenat1 extended permit ip 192.168.0.0 255.255.0.0 10.1.0.0 255.255.0.0
nat (inside) 11 access-list hidenat1
I would recommend that if you are doing NAT like this, especially with another company, that you use proper IP addresses if you own them or have them available (non rfc-1918 addresses).
Obviously, you would need to tweak to your specific needs, and would need to essentially do the same thing in reverse on your other ASA, but that should get you started.
If you understand the order of operation, it should all make sense (ie, NAT before Encryption). When you are configuring your crypto settings, write the config such that the NAT has already happened. For example, the correct encryption policy is to encrypt everything from 10.0.0.0/16 TO 10.1.0.0/16 NOT 192.168.0.0/16 to 192.168.0.0/16 or even 192.168.0.0/16 to 10.1.0.0/16.
HTH |
Reviews:
 ·Verizon FiOS
| reply to PS3
A few years ago I had to setup a ipsec vpn tunnel from a network I was responsible for to a hospital system network. The only catch was they used all of the 1918 addresses on their internal network. To get around this I had to acquire more puiblic addresses from my network's isp. I then had to configure nat over the tunnel so that my traffic (as the hospital saw it) looked like it was coming over the vpn with my public addressing space. |
