Christmas just went by and I had some time to write down an howto with NAT in an Site-to-Site VPN tunnel. In this scenario you have clients in site A who need to access servers in site B. Normally it is not possible to access the servers in site B when you’re using the same IP address space. You can only get this work if you’re using NAT in site A to hide the internal addresses. The only thing what you need to do is to find an address space for the NAT translation and you need to be sure that you’re not using the address space in site B where you want to access the server.
Its just an very easy example how to do that you can also do an configuration where you site A and B access each other so you need todo NAT on both sides and create an transfer network. If you have questions there just ask i will maybe also create an howto for that,
Site A
Internal IP address space: 192.168.0.0/16
Client IP addresses: 192.168.100.0/24
NAT IP address: 172.25.0.1/32
Site B
Internal IP address space: 196.168.0.0/16
Server IP addresses: 192.168.200.0/24
Configuration Site A:
———————————————————————————————
object-group network Site-B-Access network-object 192.168.100.0 255.255.255.0 exit object-group network VPN-Site-B network-object 192.168.200.0 255.255.255.0 exit access-list nat_outbound-site-b extended permit ip object-group Site-B-Access object-group VPN-Site-B nat (inside) 2 access-list nat_outbound-site-b global (outside) 2 172.25.0.1 netmask 255.255.255.255 object-group network VPN-NAT-Site-B network-object 172.25.0.1 255.255.255.255 exit access-list acl_inside extended permit icmp any object-group VPN-Site-B access-list acl_inside extended deny ip any object-group VPN-Site-B access-list acl_VPN-Site-B extended permit ip object-group VPN-NAT-Site-B object-group VPN-Site-B tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key secretpassword isakmp keepalive threshold 10 retry 2 exit crypto map VPN 1 match address acl_VPN-Site-B crypto map VPN 1 set peer 1.1.1.1 crypto map VPN 1 set pfs group2 crypto map VPN 1 set transform-set ESP-3DES-SHA crypto map VPN 1 set connection-type bidirectional crypto map VPN 1 set security-association lifetime seconds 3600 kilobytes 4608000 no crypto map VPN 1 set reverse-route no crypto map VPN 1 set nat-t-disable crypto map VPN 1 set phase1-mode main crypto map VPN 1 set inheritance rule crypto map VPN 1 interface outside
Site B:
--------------------------------------------------------------------------------------------- coming soon
so have a look in some days i will complete the post until then