cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
0
Helpful
4
Replies

L2L VPN - peer and private address is the same

ronshuster
Level 1
Level 1

We need to create a L2L tunnel with a provider but their standard is that they require us to PAT our internal segments\hosts (AKA "interesting traffic") to a public address. By that they mean an address in the same segment as the OUTSIDE interface of our firewall, even the Internet address itself.

Will that work on an ASA5520?

Any difference in the tunnel config?

Any comments?

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Roni

Yes it will work fine. The major change in the config is that the crypto map access-list that defines interesting traffic must use the Natted address and not the original source addresses.

Jon

So you mean that the "interesting traffic" (source --> dst) will have to be pat'ed to the outside (public) address of the firewall and this address in the cryptomaps?

I was unable to find such an example online, but it makes sense that it will work.

Roni

You can NAT the interesting traffic to any address you like although the outside interface address is as good as any.

Yes, whatever address you choose you use that one in the crypto maps.

Jon

Jon,

When the other side of the tunnel access my outside int of the firewall, how do I point this traffic to the internal host?

Is that it:

static (inside,outside) pubaddress internalhost netmask 255.255.255.255

So basically it's a regular vpn setting but the cryptomaps has the public address, correct?

Do I need to nonat the traffic from my pub address to the other side?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: