We have two 3060 VPN concentrators and we are going to employ a Lan-to-Lan ipsec tunnel between the two, but we have a few questions. What will the source address of the packets be when they reach the private address of the other side? Do I have to adjust acls on both sides of the tunnel to recognize packets from the other side or do the packets appear to be coming from the public or private interface of the VPN concentrator.
"What will the source address of the packets be when they reach the private address of the other side?"
Assuming you employ ESP in tunnel mode, the source IP address will be the original IP address as generated by the source device. Thus, if a device sends an IP packet with private network source address "A" to a device with private network destination address "B", the packet will be encrypted and encapsulated using the IP address on the public interface on the source VPN concentrator. The encapsulation destination address will be the public interface IP address of the remote VPN concentrator. When the encapsulated IP packet reaches the remote VPN concentrator, it will be decrypted to recover the original IP packet bearing source address "A" and destination address "B". Here's a quick schematic of the IP packet as encapsulated in ESP tunnel-mode by the VPN concentrator (assuming the source concentrator has a public interface address of "X" and the remote concentrator a public address of "Y"):
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...