Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT inside Site-to-Site VPN Tunnel

I have to implement a site-to-site tunnel over an existing WAN link.  One of the routers currently NATs addresses from one LAN to the other (see diagram).

Firewall 2 does not yet exist - I plan on deploying it to accomplish the tunnel from Firewall 1 - to - Firewall 2.

Can I deploy Firewall 2, creating a VPN tunnel from Firewall 1 to Firewall 2, leaving the NAT functions (static, one-to-one) on Router 1, or would I need to perhaps have Firewall 2 do the NAT.

I am not sure if NAT can take place within a tunnel, and I suspect that it cannot.

Thank you in advance.

Drawing1.jpg

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: NAT inside Site-to-Site VPN Tunnel

YECA911ORG wrote:

I have to implement a site-to-site tunnel over an existing WAN link.  One of the routers currently NATs addresses from one LAN to the other (see diagram).

Firewall 2 does not yet exist - I plan on deploying it to accomplish the tunnel from Firewall 1 - to - Firewall 2.

Can I deploy Firewall 2, creating a VPN tunnel from Firewall 1 to Firewall 2, leaving the NAT functions (static, one-to-one) on Router 1, or would I need to perhaps have Firewall 2 do the NAT.

I am not sure if NAT can take place within a tunnel, and I suspect that it cannot.

Thank you in advance.

Mike

If you are Natting the LAN addresses then yes you will need to do it on the firewalls because the IP header will not be available to the routers ie. the IP header available to the routers will have the source and dest IPs of the firewalls and not the LAN machines.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: NAT inside Site-to-Site VPN Tunnel

YECA911ORG wrote:

I have to implement a site-to-site tunnel over an existing WAN link.  One of the routers currently NATs addresses from one LAN to the other (see diagram).

Firewall 2 does not yet exist - I plan on deploying it to accomplish the tunnel from Firewall 1 - to - Firewall 2.

Can I deploy Firewall 2, creating a VPN tunnel from Firewall 1 to Firewall 2, leaving the NAT functions (static, one-to-one) on Router 1, or would I need to perhaps have Firewall 2 do the NAT.

I am not sure if NAT can take place within a tunnel, and I suspect that it cannot.

Thank you in advance.

Mike

If you are Natting the LAN addresses then yes you will need to do it on the firewalls because the IP header will not be available to the routers ie. the IP header available to the routers will have the source and dest IPs of the firewalls and not the LAN machines.

Jon

Community Member

Re: NAT inside Site-to-Site VPN Tunnel

Thank you for the quick reply!

-MB

1728
Views
0
Helpful
2
Replies
CreatePlease to create content