cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
372
Views
0
Helpful
2
Replies

ipsec site to site vpn NAT

zeuscyril
Level 4
Level 4

hi all,

i have one small doubt may be it is silly,

is NAT is must on the ipsec site to site vpn?

means there has to be nat inside and nat outside interfaces or without nat also we can do site to site vpn?

because i am trying to connect two routers with physical cable.(outside interfaces).

then i am trying to make ipsec site to site to communicate internal interface from one end to communicate otherside internal networks.

thanks

cyril

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Sorry for going slightly off topic.

I am personally not sure if the Cisco Router behaviour differs from the Cisco ASA.

If we were to presume a situation where we had 2 ASA firewalls without any NAT configurations and a L2L VPN connection was created between them then they would not require any type of NAT configuration whatsover.

Usually the situation is though that the customer has the Cisco ASA as both an Internet gateway and VPN gateway and that means there is a Dynamic PAT present to enable the users Internet connectivity and this always means that you need a NAT0 configuration to bypass the Dynamic PAT. Naturally there is an option to configure the L2L VPN use the Dynamic PAT address as the source but this is not very usual solution as it blocks all connectivity towards this sites hosts through the L2L VPN connection.

The only IOS devices that I use for L2L VPN connections are different Cisco 6500/7600 series VPN modules or ASR routers. On these devices atleast we dont configure any type of NAT for the L2L VPN connections so my assumption is that you wont need one for your Routers unless they have existing NAT configurations that need to be bypassed.

Are you having problem getting some L2L VPN connection up between some Cisco Routers?

- Jouni

Of course you can use VPN without NAT, and that is also the common way to configure it. You have two ways to implement it:

1) The "modern" way: If both routers are running IOS, then you can use VTIs / IPsec-tunnel-interfaces. On these tunnels you just don't configure NAT.

2) The legacy way: You are using crypto maps on the interface with the "ip nat outside" command. Now you configure your NAT-rule with NAT-Excemption. For that the ACL you reference has deny-statements for your VPN-traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: