Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
3
Replies

Static across an IOS to IOS VPN

Go to solution
bbernard
Level 1
Level 1

‎06-25-2007 12:35 PM - edited ‎02-21-2020 03:07 PM

I have a situation where I own both sides of a VPN tunnel between IOS boxes with no NAT at all. However, I have 2 servers that I now have to static NAT to two brand new IP addresses to meet network requirements on the "far" end. Unfortunately I never NAT on an IOS device--always a PIX/ASA or VPN-3000 box, and just haven't gotten the hang of it from the configuration examples.

A basic example of how to do this (without NATing any of the other traffic) would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sundar.palaniappan
Level 10
Level 10

‎06-25-2007 03:18 PM

Just configure static NAT for both servers. Here's a sample config.

int e0

description 'LAN'

ip address 172.16.1.1 255.255.255.0

ip nat inside

int e1

description 'Internet'

ip address 192.168.1.1 255.255.255.248

ip nat outside

ip nat inside source static 172.16.1.254 10.1.1.254

172.16.1.254 --> Real Address of the Server.

10.1.1.254 --> Global address of the Server to which the far end user sends traffic to.

HTH

Sundar

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sundar.palaniappan
Level 10
Level 10

‎06-25-2007 03:18 PM

Just configure static NAT for both servers. Here's a sample config.

int e0

description 'LAN'

ip address 172.16.1.1 255.255.255.0

ip nat inside

int e1

description 'Internet'

ip address 192.168.1.1 255.255.255.248

ip nat outside

ip nat inside source static 172.16.1.254 10.1.1.254

172.16.1.254 --> Real Address of the Server.

10.1.1.254 --> Global address of the Server to which the far end user sends traffic to.

HTH

Sundar

0 Helpful

Go to solution
bbernard
Level 1
Level 1
In response to sundar.palaniappan

‎06-26-2007 10:23 AM

Sundar,

Thank you. Please verify for me that this will not cause any negative impact on the other traffic on the network, for instance requiring me to write NAT rules for anything else? I just want to be certain before I proceed as it is a production system and I don't have the luxury of a test-system right now.

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to bbernard

‎06-26-2007 03:50 PM

There's no need for explicit NAT rules for other traffic and they would continue to pass un-natted. The one thing you would have to do is, if you aren't doing GRE tunneling with IPSEC, your crypto access list should permit traffic to the NAT (global) address of the Server to be encrypted. The other side should mirror this access list.

HTH

Sundar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents