L2L VPN - peer and private address is the same

Unanswered Question
May 19th, 2009

We need to create a L2L tunnel with a provider but their standard is that they require us to PAT our internal segments\hosts (AKA "interesting traffic") to a public address. By that they mean an address in the same segment as the OUTSIDE interface of our firewall, even the Internet address itself.

Will that work on an ASA5520?

Any difference in the tunnel config?

Any comments?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 05/19/2009 - 22:47


Yes it will work fine. The major change in the config is that the crypto map access-list that defines interesting traffic must use the Natted address and not the original source addresses.


ronshuster Wed, 05/20/2009 - 08:31

So you mean that the "interesting traffic" (source --> dst) will have to be pat'ed to the outside (public) address of the firewall and this address in the cryptomaps?

I was unable to find such an example online, but it makes sense that it will work.

Jon Marshall Wed, 05/20/2009 - 12:21


You can NAT the interesting traffic to any address you like although the outside interface address is as good as any.

Yes, whatever address you choose you use that one in the crypto maps.


ronshuster Fri, 06/05/2009 - 05:28


When the other side of the tunnel access my outside int of the firewall, how do I point this traffic to the internal host?

Is that it:

static (inside,outside) pubaddress internalhost netmask

So basically it's a regular vpn setting but the cryptomaps has the public address, correct?

Do I need to nonat the traffic from my pub address to the other side?


This Discussion