Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA Site-to-Site VPN Configuration - NAT questions

Greetings,

I am tasked with configuring a site-to-site VPN connection to a business partner in which I would first like to NAT my internal IPs to a public IP then send it across the tunnel, and vice versa when they try to access my servers I would like them to get to them via the external IP.  Here is what I think I need to do, but I wondered what the community's thoughts were.

All IP addresses represented below are fictional.

Internal Servers          Public IP

10.50.220.150           208.180.170.182    

10.50.220.151           208.180.170.183

10.50.220.152           208.180.170.184

Local Peer IP:      208.180.254.29

Remote Peer IP:  207.190.218.31

Local Network:     208.180.170.0/24

Remote Network:  207.190.239.0/24

From my understanding, NAT will occur before being sent out through a tunnel, or to the internet, etc, so the configuration I am thinking I need is the following:

nat (inside) 0 access-list nonat

nat (inside) 2 10.50.220.150

nat (inside) 3 10.50.220.151

nat (inside) 4 10.50.220.152

global (outside) 2 208.180.170.182

global (outside) 3 208.180.170.183

global (outside) 4 208.180.170.184

access-list nonat extended permit ip 208.180.170.0 255.255.255.0 207.190.239.0 255.255.255.0   (Do I even need this since its getting NATed to a public IP anyway?)

access-list s2s-Customer extended permit ip 208.180.170.0 255.255.255.0 207.190.239.0 255.255.255.0

route outside 207.190.239.0 255.255.255.0 207.190.218.31

crypto map outside 1 set peer 207.190.218.31

crypto map outside 1 match address s2s-Customer

[..rest of configuration ommitted..]

Does that look/sound right? If not, please advise.


Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA Site-to-Site VPN Configuration - NAT questions

Yes.

PAT (nat/global) will take care of outbound traffic and static will take care of inbound traffic.

You can create Policy NAT as well to manage this traffic.

Federico.

3 REPLIES

Re: ASA Site-to-Site VPN Configuration - NAT questions

Hi,

You're correct.

Normally you don't NAT the VPN traffic since the communication goes privately through the internet but you can definitely NAT the VPN traffic if needed.

You don't need the nat0 statement because that's to bypass NAT (therefore there's no need for the ACL referenced to the nat0).

The crypto ACL defines the traffic from the NATed IP to the NATed IP of the other side.

Hope it helps.

Federico.

Re: ASA Site-to-Site VPN Configuration - NAT questions

Federico,

Thanks for the response.  One more question.

The NAT/PAT statements there take care of outbound NAT, but I assume I will also need static (inside,outside) NAT statements to take care of the inbound NAT, should users across the VPN tunnel want to initiate the traffic to our server.  Is this correct?

Does the NAT order of operations take place inbound before attempting to pass traffic?

Re: ASA Site-to-Site VPN Configuration - NAT questions

Yes.

PAT (nat/global) will take care of outbound traffic and static will take care of inbound traffic.

You can create Policy NAT as well to manage this traffic.

Federico.

557
Views
5
Helpful
3
Replies
CreatePlease to create content