Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
633
Views
0
Helpful
4
Replies

PAT and VPN

Go to solution
winpwnkmr
Level 1
Level 1

‎04-21-2010 10:02 AM

Hi,

I have one query, currently I have configured 10 servers PAT against one public IP (x.x.x.x) in ASA. Now I have to configure few VPN tunnels with the clients and I want that tunnel encrytion domain IP as x.x.x.x public IP, which is natted against those 10 IP's. Is it possible? if yes, How?

Traffic which will go out from the tunnels, would be from any of the those 10 servers to outside clients.

Thanks,

Pawan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to winpwnkmr

‎04-21-2010 02:37 PM

I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.

If you some reason you do need NAT/PAT, then you can configure it like that.

Here's an example:

Site A Local Network 10.1.1.0/24

Site A PAT address: 200.1.1.1

Site B: Local Network: 10.2.2.0/24

Site B: Public IP: 200.2.2.1

So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24

In this case if you want to PAT the traffic, then you do the following:

Site A:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

access-list VPN permit ip host 200.1.1.1 10.2.2.0 255.255.255.0  --> This is the crypto ACL

You need to make sure there's no nat 0 for that traffic.

In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.

Only Site A can initiate the VPN tunnel.

Federico.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-21-2010 10:07 AM

Hi,

Normally you don't NAT the VPN traffic.

In case you want to NAT/PAT the VPN traffic, you enable NAT before encryption, so that through the tunnel the IP seen is the public IP.

If this is on an ASA, you make sure there's not any NAT 0 access-list statement for the hosts (bypassing NAT).

Federico.

0 Helpful

Go to solution
winpwnkmr
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-21-2010 12:38 PM

Hi Federico,

If this is not normal, then how do we make sure that only source connects to destination and not vide versa. Also if we don't use any NAT, then I have to expose our entire inside subnet which I don't want to.

Also could you pls. give me some example how do I enable NAT before encryption? I can do normal NAT/PAT but not sure if it's the same.

Thanks,

Pawan

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to winpwnkmr

‎04-21-2010 02:37 PM

I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.

If you some reason you do need NAT/PAT, then you can configure it like that.

Here's an example:

Site A Local Network 10.1.1.0/24

Site A PAT address: 200.1.1.1

Site B: Local Network: 10.2.2.0/24

Site B: Public IP: 200.2.2.1

So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24

In this case if you want to PAT the traffic, then you do the following:

Site A:

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

access-list VPN permit ip host 200.1.1.1 10.2.2.0 255.255.255.0  --> This is the crypto ACL

You need to make sure there's no nat 0 for that traffic.

In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.

Only Site A can initiate the VPN tunnel.

Federico.

0 Helpful

Go to solution
winpwnkmr
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-22-2010 12:17 AM

Thanks Federico. It's really helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents