04-21-2010 10:02 AM
Hi,
I have one query, currently I have configured 10 servers PAT against one public IP (x.x.x.x) in ASA. Now I have to configure few VPN tunnels with the clients and I want that tunnel encrytion domain IP as x.x.x.x public IP, which is natted against those 10 IP's. Is it possible? if yes, How?
Traffic which will go out from the tunnels, would be from any of the those 10 servers to outside clients.
Thanks,
Pawan
Solved! Go to Solution.
04-21-2010 02:37 PM
I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.
If you some reason you do need NAT/PAT, then you can configure it like that.
Here's an example:
Site A Local Network 10.1.1.0/24
Site A PAT address: 200.1.1.1
Site B: Local Network: 10.2.2.0/24
Site B: Public IP: 200.2.2.1
So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24
In this case if you want to PAT the traffic, then you do the following:
Site A:
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 interface
access-list VPN permit ip host 200.1.1.1 10.2.2.0 255.255.255.0 --> This is the crypto ACL
You need to make sure there's no nat 0 for that traffic.
In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.
Only Site A can initiate the VPN tunnel.
Federico.
04-21-2010 10:07 AM
Hi,
Normally you don't NAT the VPN traffic.
In case you want to NAT/PAT the VPN traffic, you enable NAT before encryption, so that through the tunnel the IP seen is the public IP.
If this is on an ASA, you make sure there's not any NAT 0 access-list statement for the hosts (bypassing NAT).
Federico.
04-21-2010 12:38 PM
Hi Federico,
If this is not normal, then how do we make sure that only source connects to destination and not vide versa. Also if we don't use any NAT, then I have to expose our entire inside subnet which I don't want to.
Also could you pls. give me some example how do I enable NAT before encryption? I can do normal NAT/PAT but not sure if it's the same.
Thanks,
Pawan
04-21-2010 02:37 PM
I mean that usually you don't need to NAT the traffic that goes through the tunnel because you don't need those addresses to be public.
If you some reason you do need NAT/PAT, then you can configure it like that.
Here's an example:
Site A Local Network 10.1.1.0/24
Site A PAT address: 200.1.1.1
Site B: Local Network: 10.2.2.0/24
Site B: Public IP: 200.2.2.1
So, normally you avoid NATing the VPN traffic and having communication between both sites from 10.1.1.0/24 to 10.2.2.0/24
In this case if you want to PAT the traffic, then you do the following:
Site A:
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 interface
access-list VPN permit ip host 200.1.1.1 10.2.2.0 255.255.255.0 --> This is the crypto ACL
You need to make sure there's no nat 0 for that traffic.
In this case, when traffic goes from 10.1.1.0/24 to 10.2.2.0/24, the traffic will get PATed and then encrypted and sent through the tunnel.
Only Site A can initiate the VPN tunnel.
Federico.
04-22-2010 12:17 AM
Thanks Federico. It's really helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: