Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PAT and VPN

Hi,

I have one query, currently I have configured 10 servers PAT against one public IP (x.x.x.x) in ASA. Now I have to configure few VPN tunnels with the clients and I want that tunnel encrytion domain IP as x.x.x.x public IP, which is natted against those 10 IP's. Is it possible? if yes, How?

Traffic which will go out from the tunnels, would be from any of the those 10 servers to outside clients.

Thanks,

Pawan

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PAT and VPN

I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.

If you some reason you do need NAT/PAT, then you can configure it like that.

Here's an example:

Site A Local Network 10.1.1.0/24

Site A PAT address: 200.1.1.1

Site B: Local Network: 10.2.2.0/24

Site B: Public IP: 200.2.2.1

So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24

In this case if you want to PAT the traffic, then you do the following:

Site A:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

access-list VPN permit ip host 200.1.1.1 10.2.2.0 255.255.255.0  --> This is the crypto ACL

You need to make sure there's no nat 0 for that traffic.

In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.

Only Site A can initiate the VPN tunnel.

Federico.

4 REPLIES

Re: PAT and VPN

Hi,

Normally you don't NAT the VPN traffic.

In case you want to NAT/PAT the VPN traffic, you enable NAT before encryption, so that through the tunnel the IP seen is the public IP.

If this is on an ASA, you make sure there's not any NAT 0 access-list statement for the hosts (bypassing NAT).

Federico.

New Member

Re: PAT and VPN

Hi Federico,

If this is not normal, then how do we make sure that only source connects to destination and not vide versa. Also if we don't use any NAT, then I have to expose our entire inside subnet which I don't want to.

Also could you pls. give me some example how do I enable NAT before encryption? I can do normal NAT/PAT but not sure if it's the same.

Thanks,

Pawan

Re: PAT and VPN

I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.

If you some reason you do need NAT/PAT, then you can configure it like that.

Here's an example:

Site A Local Network 10.1.1.0/24

Site A PAT address: 200.1.1.1

Site B: Local Network: 10.2.2.0/24

Site B: Public IP: 200.2.2.1

So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24

In this case if you want to PAT the traffic, then you do the following:

Site A:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

access-list VPN permit ip host 200.1.1.1 10.2.2.0 255.255.255.0  --> This is the crypto ACL

You need to make sure there's no nat 0 for that traffic.

In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.

Only Site A can initiate the VPN tunnel.

Federico.

New Member

Re: PAT and VPN

Thanks Federico. It's really helpful.

338
Views
0
Helpful
4
Replies
CreatePlease to create content