Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site vpn natting

Hi all, we have just had a router and asa installed on our network, the asa terminates site to site tunnels to our other buildings, if the router is already natting to an internal address of the firewall, do we still need to do no nat for the site to site traffic ? how will this work ?

4 REPLIES

Re: site to site vpn natting

Carl,

Simply - yes and you need to make sure that the NAT'd IP subnet is the interesting VPN encrypted traffic.

HTH.

New Member

Re: site to site vpn natting

Can you please explain this, bascically we have a router with an internet ip, this then nats an internet ip to a private address of the outside interface of the firewall, would we have to turn nat off for all outbound traffic? also what would we do with the site to site tunnel policy?

New Member

Re: site to site vpn natting

Check you NAT exemption rules. You should have a rule allowing your local internal address scheme to the remote ASA's internal IP scheme. This exempts NATing outbound to your remote site over the site to site.

Edit..I'm sorry i didn't see that you were NATing with a router.

Re: site to site vpn natting

Nothing changes with the normally operation of the VPN tunnel. In you case the ASA does not need to perform any NAT as you are using internal IP addressing. As the external router is performing all the NAT - the ASA does not have to.

HTH.

122
Views
0
Helpful
4
Replies