01-20-2014 07:13 PM - edited 03-07-2019 05:41 PM
Hi All
A client wants to setup a site-to-site VPN with us and they want us to traffic Public IP address through the tunnel. The vpn tunnel is between one of our servers (172.16.46.88) and one of their servers. Our server has already been NATted to a public IP address and clients can browse to it without a vpn. (see below)
static (inside,outside) tcp 203.201.183.233 www 172.16.46.88 www netmask 255.255.255.255
static (inside,outside) 203.201.183.233 172.16.46.88 netmask 255.255.255.255
What I’m trying to do is to NAT the server IP address to another public IP address and send that through the tunnel. I tried to do a Policy NAT and got the following error messages
access-list client-vpn extended permit ip host 172.16.46.88 w.x.y.z 255.255.255.0
static (inside,outside) 203.201.183.220 access-list client-vpn
WARNING: real-address conflict with existing static
TCP inside:172.16.46.88/80 to outside:203.201.183.233/80 netmask 255.255.255.255
INFO: overlap with existing static
inside:172.16.46.88 to outside:203.201.183.233 netmask 255.255.255.255
Solved! Go to Solution.
01-22-2014 01:57 AM
As long as the tunnel is going via the outside interface then your "static (inside,outside) ..." statement applies.
So that statement still applies. If the VPN tunnel went via a different interface than the outside interface then it wouldn't but then you wouldn't be getting the overlap errors.
Jon
01-21-2014 01:01 AM
Why not just use the existing public IP ?
As long as you are specific in your crypto map access-list with their destination server the only traffic that should be sent via the VPN tunnel is when the destination IP is their server IP.
Jon
01-21-2014 04:21 PM
Hi Jon
The idea of a crypto map acl is to identify which traffic is to be encrypted and which traffic is not. In this case, the crypto map acl would be something like
access-list client-vpn extended permit ip host 172.16.46.88 host a.b.c.d
access-list client-vpn extended permit ip host 172.16.46.88 host e.f.g.h
where a.b.c.d & e.f.g.h would be the IP address of the destination servers
crypto map outside_map 2 match address client-vpn
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer w.x.y.z
crypto map outside_map 2 set ikev1 ESP-AES-256
Pardon my ignorance, how does the server IP address get translated to the public IP address when it goes through the tunnel?
01-22-2014 01:57 AM
As long as the tunnel is going via the outside interface then your "static (inside,outside) ..." statement applies.
So that statement still applies. If the VPN tunnel went via a different interface than the outside interface then it wouldn't but then you wouldn't be getting the overlap errors.
Jon
01-22-2014 04:18 PM
Thx Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: