09-26-2008 05:11 AM - edited 03-06-2019 01:36 AM
Hi all, If I have a vpn tunnel between 2 offices, but I have 1 ip the same in each office, can I nat on my firewall for this address? or will I have to do it on another device as the firewall will be doing no nat ?
09-26-2008 05:23 AM
Yes - you can perform a plolicy NAT from the inside to the VPN, then encrypt from the NAT IP address on both sides.
HTH>
09-26-2008 07:04 AM
Hi there, can you please give me example config of this?
would you do a static nat first, then do a nat 0 on the address that its natted to ?
09-26-2008 07:17 AM
I would do something like this:-
SiteA
Inside host 192.168.1.1
NAT host 172.16.1.1
static (inside,outside) 172.16.1.1 access-list nat_me
access-list nat_me extended permit ip host 192.168.1.1 host 172.16.2.1
access-list no-nat extended permit ip host 172.16.1.1 host 172.16.2.1
access-list vpn-acl extended permit ip host 172.16.1.1 host 172.16.2.1
SiteB
Inside host 192.168.1.1
NAT host 172.16.2.1
static (inside,outside) 172.16.2.1 access-list nat_me
access-list nat_me extended permit ip host 192.168.1.1 host 172.16.1.1
access-list no-nat extended permit ip host 172.16.2.1 host 172.16.1.1
access-list vpn-acl extended permit ip host 172.16.2.1 host 172.16.1.1
HTH>
09-26-2008 01:32 PM
hi there, is this the only way of doing it?
09-26-2008 11:58 PM
Carl,
If you have an IP address that is the SAME at both ends, yes there is another way of doing it.
You change the IP address of one end - simple eh.
If you can't change the IP address - then yes NATTING is the ONLY way to do it.
I have implemented this on so many VPN tunnels - it's just not funny. The thing is with RFC1918 addresses you WILL clash with someone at some point.
So Carl just to be clear your 2 options:-
1) NAT - you don;t have to nat on the pix/asa - you could nat on a router before the VPN devices.
2) Change IP address ranges.
HTH>
09-26-2008 06:05 PM
hi andrew
i didnt get this one!!
i guess if he dose nat exmption will do the job right ?!
09-26-2008 11:59 PM
Hey Marwan,
Yep - it works, I have implemented this more times than I care to remember. If properly implemented - it works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: