Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
5
Replies

LAN to LAN PAT/NAT on 3020 concentrator

Go to solution
jstewart33
Level 1
Level 1

‎06-02-2008 12:31 PM - edited ‎03-09-2019 08:49 PM

I have a customer who wants to create a L2L tunnel, but says that they will only allow us to use up to three IP addresses. I've never had any other customers ask me to do it this way and I'm a little stumped as how I should make it work. I'm guessing some form of NAT/PAT should solve the issue for me. Could someone please steer me in the right direction.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to jstewart33

‎06-03-2008 08:36 AM

Yes you can use this approach for NAT. Perhaps they are 'over-cautious' with their security.

Regards

Farrukh

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-03-2008 03:10 AM

I hope this document is a good start:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

Regards

Farrukh

0 Helpful

Go to solution
jstewart33
Level 1
Level 1
In response to Farrukh Haroon

‎06-03-2008 05:33 AM

Thank you for your response, but what I'm specifically looking for is being able to take a range of addresses on LAN and NAT to a single IP address. The customer has said that they will only allow up to three IP addresses. I have about 10 users that will need access to this L2L tunnel. So, I'm confused on how to accomplish this if they won't allow an entire subnet or my 10 IP addresses. Thanks in advance!

Jerrod

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to jstewart33

‎06-03-2008 06:59 AM

The Concentrator supports Dynamic NAT and PAT as well, but this is only for Outbound traffic. Have a look at:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html#wp1639218

So its like a Walkie Talkie :)

A better approach would be to do the NAT/PAT on some device 'before' the Concentrator (If possible)

Regards

Farrukh

0 Helpful

Go to solution
jstewart33
Level 1
Level 1
In response to Farrukh Haroon

‎06-03-2008 08:25 AM

So basically I need to PAT or NAT overload on a router and then do a one to one Static NAT on the concentrator to be able to translate the one IP address the customer will allow. Have you ever seen problems with doing it this way? I'm curious as to why they are wanting to do it this way. Thank you very much.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to jstewart33

‎06-03-2008 08:36 AM

Yes you can use this approach for NAT. Perhaps they are 'over-cautious' with their security.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents