LAN-to-LAN to VPN tunnel NAT0

Unanswered Question
Mar 16th, 2008

We have a LAN-to-LAN VPN tunnel which we have configured NAT0 on both end firewalls, to these addressing excluded from NAT. What happens if they're out in the internet, what are these addresses known as when they're out there, which bit of the configuration part of the configurations should show this? Please help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sun, 03/16/2008 - 21:43

Bernadette, L2L uses the IPsec standard ,even though you have excluded internal address by NAT0 the traffic is still encrypted by (crypto map) engine and the access-list bound to the crypto map, example: access-list inside_nat0_outbound extended permit ip x.x.x.x y.y.y.y and access-list outside_cryptomap_20 extended permit ip x.x.x.x y.y.y.y , the outside_cryptomap_20 is what determins what traffic will be encrypted based on previous access list.

If you are using PIX and issue show crypto ipsec sa This command shows IPsec SAs built between L2L vpn peers and you should be able to see packets encap/decap and packets encrypted/decrypted as they are received and sent out through outbound- inbound tunnel interface.

Here is a link for learning the basics of Ipsec standards.

I hope I have answered your question.





This Discussion