06-05-2008 02:29 AM - edited 03-05-2019 11:26 PM
Hi all, we have just had a router and asa installed on our network, the asa terminates site to site tunnels to our other buildings, if the router is already natting to an internal address of the firewall, do we still need to do no nat for the site to site traffic ? how will this work ?
06-05-2008 04:35 AM
Carl,
Simply - yes and you need to make sure that the NAT'd IP subnet is the interesting VPN encrypted traffic.
HTH.
06-06-2008 05:18 AM
Can you please explain this, bascically we have a router with an internet ip, this then nats an internet ip to a private address of the outside interface of the firewall, would we have to turn nat off for all outbound traffic? also what would we do with the site to site tunnel policy?
06-06-2008 05:30 AM
Check you NAT exemption rules. You should have a rule allowing your local internal address scheme to the remote ASA's internal IP scheme. This exempts NATing outbound to your remote site over the site to site.
Edit..I'm sorry i didn't see that you were NATing with a router.
06-07-2008 12:51 AM
Nothing changes with the normally operation of the VPN tunnel. In you case the ASA does not need to perform any NAT as you are using internal IP addressing. As the external router is performing all the NAT - the ASA does not have to.
HTH.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: