12-18-2008 03:38 AM
Hi,
We need to setup a site to site VPN with a customer who will not allow us to use RFC1918 addresses for our end point source / destinations.
As a result we have been asked to NAT these devices into our globally assigned Internet block.
My question is, will this work ?
Our Cisco ASA's terminate the VPNs and connect directly onto the Internet using a /27 block provided by our ISP.
If we NAT the inside devices that need to be protected over the VPN into this block and then included these NAT'd addresses in the crypto map ACL's will this work ?
Thanks in advance.
Solved! Go to Solution.
12-18-2008 09:15 AM
Chris
Yes it will work and how you have described it is exactly how you set it up - eg.
inside network 192.168.5.0/24
Natted Public address - 195.166.77.10
remote network - 172.16.5.0/24
your crypto map access-list would read
access-list vpntraffic permit ip host 195.166.77.10 172.16.5.0 255.255.255.0
Jon
12-18-2008 09:15 AM
Chris
Yes it will work and how you have described it is exactly how you set it up - eg.
inside network 192.168.5.0/24
Natted Public address - 195.166.77.10
remote network - 172.16.5.0/24
your crypto map access-list would read
access-list vpntraffic permit ip host 195.166.77.10 172.16.5.0 255.255.255.0
Jon
12-23-2008 12:56 AM
Thanks for your reply Jon. We haven't tested it yet, but this gives me some confidence that at least it "should" work :)
12-23-2008 04:13 AM
Chris
Thanks for the rating and if it doesn't work i'll come up to Manchester and help out :-)
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide