site to site vpn natting

carl_townshend · ‎06-05-2008

Hi all, we have just had a router and asa installed on our network, the asa terminates site to site tunnels to our other buildings, if the router is already natting to an internal address of the firewall, do we still need to do no nat for the site to site traffic ? how will this work ?

andrew.prince · ‎06-05-2008

Carl,

Simply - yes and you need to make sure that the NAT'd IP subnet is the interesting VPN encrypted traffic.

HTH.

carl_townshend · ‎06-06-2008

Can you please explain this, bascically we have a router with an internet ip, this then nats an internet ip to a private address of the outside interface of the firewall, would we have to turn nat off for all outbound traffic? also what would we do with the site to site tunnel policy?

cowetacoit · ‎06-06-2008

Check you NAT exemption rules. You should have a rule allowing your local internal address scheme to the remote ASA's internal IP scheme. This exempts NATing outbound to your remote site over the site to site.

Edit..I'm sorry i didn't see that you were NATing with a router.

andrew.prince · ‎06-07-2008

Nothing changes with the normally operation of the VPN tunnel. In you case the ASA does not need to perform any NAT as you are using internal IP addressing. As the external router is performing all the NAT - the ASA does not have to.

HTH.