PAT and VPN

Answered Question
Apr 21st, 2010
User Badges:

Hi,


I have one query, currently I have configured 10 servers PAT against one public IP (x.x.x.x) in ASA. Now I have to configure few VPN tunnels with the clients and I want that tunnel encrytion domain IP as x.x.x.x public IP, which is natted against those 10 IP's. Is it possible? if yes, How?


Traffic which will go out from the tunnels, would be from any of the those 10 servers to outside clients.


Thanks,

Pawan

Correct Answer by Federico Coto F... about 7 years 3 months ago

I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.

If you some reason you do need NAT/PAT, then you can configure it like that.


Here's an example:

Site A Local Network 10.1.1.0/24

Site A PAT address: 200.1.1.1


Site B: Local Network: 10.2.2.0/24

Site B: Public IP: 200.2.2.1


So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24

In this case if you want to PAT the traffic, then you do the following:


Site A:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface


access-list VPN permit ip host 200.1.1.1 10.2.2.0 255.255.255.0  --> This is the crypto ACL


You need to make sure there's no nat 0 for that traffic.


In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.

Only Site A can initiate the VPN tunnel.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Wed, 04/21/2010 - 10:07
User Badges:
  • Green, 3000 points or more

Hi,


Normally you don't NAT the VPN traffic.

In case you want to NAT/PAT the VPN traffic, you enable NAT before encryption, so that through the tunnel the IP seen is the public IP.


If this is on an ASA, you make sure there's not any NAT 0 access-list statement for the hosts (bypassing NAT).


Federico.

winpwnkmr Wed, 04/21/2010 - 12:38
User Badges:

Hi Federico,


If this is not normal, then how do we make sure that only source connects to destination and not vide versa. Also if we don't use any NAT, then I have to expose our entire inside subnet which I don't want to.


Also could you pls. give me some example how do I enable NAT before encryption? I can do normal NAT/PAT but not sure if it's the same.


Thanks,

Pawan

Correct Answer
Federico Coto F... Wed, 04/21/2010 - 14:37
User Badges:
  • Green, 3000 points or more

I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.

If you some reason you do need NAT/PAT, then you can configure it like that.


Here's an example:

Site A Local Network 10.1.1.0/24

Site A PAT address: 200.1.1.1


Site B: Local Network: 10.2.2.0/24

Site B: Public IP: 200.2.2.1


So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24

In this case if you want to PAT the traffic, then you do the following:


Site A:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface


access-list VPN permit ip host 200.1.1.1 10.2.2.0 255.255.255.0  --> This is the crypto ACL


You need to make sure there's no nat 0 for that traffic.


In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.

Only Site A can initiate the VPN tunnel.


Federico.

Actions

This Discussion