Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
jcr
New Member

IOS IPSEC Site-to-Site Tunnel

Is it possible to use the Same tunnel end point ip address as a static NAT address?

LAN1--->Router>>>STATIC NAT>>>>IPSEC<<<Internet>>> Reverse Process

3 REPLIES
Hall of Fame Super Blue

Re: IOS IPSEC Site-to-Site Tunnel

jcr@att.com

Is it possible to use the Same tunnel end point ip address as a static NAT address?

LAN1--->Router>>>STATIC NAT>>>>IPSEC<<>> Reverse Process

Not sure what you are asking here ?

The tunnel end point needs to be assigned to an interface such as the outside interface. You can indeed also use this address to NAT internal clients.

Jon

Bronze

Re: IOS IPSEC Site-to-Site Tunnel

Hi,


host 10.10.10.1 router 1.1.1.1  [[[ Internet + IPSec ]]]] 


My understanding is , you are asking if you can NAT the internal host 10.10.10.1 to the router's public ip addr 1.1.1.1 or not ? Where 1.1.1.1 is the tunnel end point for Ipsec. Please correct me if am wrong.


If thats is what you are asking , then here is your answer:-


""It would be like static nat for interface to an inside address so anything coming at interface will get translated including upd 500. Hence Ipsec will fail""


So instead using the router's public ip address, use any free available ip address if you have any.



Hope this answers your questions



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
New Member

Re: IOS IPSEC Site-to-Site Tunnel

Hi,

As long as you map the required ports (TCP or UDP) only for the application, the Ports for IPSEC dont get forwarded and you get to create a VPN tunnel to the Interface.

see this below example.mapping port 25 to inside ip 192.168.1.20.

static (inside,outside) tcp interface 25 192.168.1.20  25 netmask 255.255.255.255

Regards

Durga Prasad

Rate if this helps

390
Views
0
Helpful
3
Replies
CreatePlease to create content