Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
466
Views
0
Helpful
2
Replies

VPN tunnel and NAT

Go to solution
Ryan.Bachman_2
Level 1
Level 1

ā€Ž03-01-2010 11:43 AM

I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?

For instance lets say I have the following configured.

interface gig 0/0

nameif outside

ip address 172.30.10.1 255.255.255.248

static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server

Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

ā€Ž03-01-2010 12:09 PM 

Ryan.Bachman wrote:
I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?
For instance lets say I have the following configured.
interface gig 0/0
nameif outside
ip address 172.30.10.1 255.255.255.248
static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server
Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible? 
Thanks.

Ryan

Yes this is perfectly possible. The key thing to note is that in your crypto map access-list you must use the Natted address ie. x.x.136.20 and not the real address ie. 192.168.1.20.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

ā€Ž03-01-2010 12:09 PM 

Ryan.Bachman wrote:
I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?
For instance lets say I have the following configured.
interface gig 0/0
nameif outside
ip address 172.30.10.1 255.255.255.248
static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server
Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible? 
Thanks.

Ryan

Yes this is perfectly possible. The key thing to note is that in your crypto map access-list you must use the Natted address ie. x.x.136.20 and not the real address ie. 192.168.1.20.

Jon

0 Helpful

Go to solution
Ryan.Bachman_2
Level 1
Level 1
In response to Jon Marshall

ā€Ž03-01-2010 12:14 PM

Easy enough

Thanks for the prompt response.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents