Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
2
Replies

Static NAT of the inside interface through an IPsec-tunnel

milil
Level 1
Level 1

‎05-24-2007 04:35 AM - edited ‎02-21-2020 03:04 PM

I want to set up an ASA5505 remote and manage it through a IPsec-tunnel and put a static NAT on the inside interface. Is that possible since the traffic never traverses any interface? Is there a workaround or a different way to do it?

//Mike

Labels:
0 Helpful
2 Replies 2

thomas.chen
Level 6
Level 6

‎05-30-2007 07:38 AM

The ip nat inside destination command translates the destination address of a packet going from the outside interface to the inside interface. This command is used to load balance among multiple servers on the inside network. The existence of multiple servers is hidden from the external world, which continues to use a single IP address to request the desired content. At the Network Address Translation (NAT) router, these requests are directed to one of the multiple inside servers specified in the NAT pool. This is done in a round-robin manner, distributing the load among the available servers.

The ip nat inside destination command can also be used to mask the actual IP address of a server on the inside network. This one-to-one translation is created by specifying a single address in the NAT pool. However, the translation created by this command is a dynamic translation. The ip nat inside destination command does not support the static keyword and cannot be used to build static mapping.

0 Helpful

ggilbert
Cisco Employee
Cisco Employee

‎05-30-2007 09:14 AM

Mike,

To answer your question, you can not have a static NAT for the inside interface so that you can manage it from the outside world. If you want to make it by not going through the tunnel, use SSH to access the outside interface.

As per your question - if you want to manage it through the tunnel, use SSH to access the inside interface IP Address.

Or if you have another interface, you can use the management-access command to access the ASA5505.

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/m_711.html#wp1631964

Hope this explains. Let me know if you have questions and I will be glad to answer them.

Cheers

Gilbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents