VPN tunnel and NAT

Answered Question
Mar 1st, 2010

I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?

For instance lets say I have the following configured.

interface gig 0/0

nameif outside

ip address 172.30.10.1 255.255.255.248

static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server

Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible?

Thanks.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 9 months ago

Ryan.Bachman wrote:

I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?

For instance lets say I have the following configured.

interface gig 0/0

nameif outside

ip address 172.30.10.1 255.255.255.248

static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server

Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible?

Thanks.

Ryan

Yes this is perfectly possible. The key thing to note is that in your crypto map access-list you must use the Natted address ie. x.x.136.20 and not the real address ie. 192.168.1.20.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 03/01/2010 - 12:09

Ryan.Bachman wrote:

I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?

For instance lets say I have the following configured.

interface gig 0/0

nameif outside

ip address 172.30.10.1 255.255.255.248

static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server

Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible?

Thanks.

Ryan

Yes this is perfectly possible. The key thing to note is that in your crypto map access-list you must use the Natted address ie. x.x.136.20 and not the real address ie. 192.168.1.20.

Jon

Actions

This Discussion