05-19-2009 11:41 AM - edited 02-21-2020 03:28 AM
We need to create a L2L tunnel with a provider but their standard is that they require us to PAT our internal segments\hosts (AKA "interesting traffic") to a public address. By that they mean an address in the same segment as the OUTSIDE interface of our firewall, even the Internet address itself.
Will that work on an ASA5520?
Any difference in the tunnel config?
Any comments?
05-19-2009 10:47 PM
Roni
Yes it will work fine. The major change in the config is that the crypto map access-list that defines interesting traffic must use the Natted address and not the original source addresses.
Jon
05-20-2009 08:31 AM
So you mean that the "interesting traffic" (source --> dst) will have to be pat'ed to the outside (public) address of the firewall and this address in the cryptomaps?
I was unable to find such an example online, but it makes sense that it will work.
05-20-2009 12:21 PM
Roni
You can NAT the interesting traffic to any address you like although the outside interface address is as good as any.
Yes, whatever address you choose you use that one in the crypto maps.
Jon
06-05-2009 05:28 AM
Jon,
When the other side of the tunnel access my outside int of the firewall, how do I point this traffic to the internal host?
Is that it:
static (inside,outside) pubaddress internalhost netmask 255.255.255.255
So basically it's a regular vpn setting but the cryptomaps has the public address, correct?
Do I need to nonat the traffic from my pub address to the other side?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: