Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
4
Helpful
2
Replies

Port Address Translation using IP Address of Interface

ementzer7
Level 1
Level 1

‎03-26-2012 09:47 AM

Hello All,

If you're using the "PAT using IP Address of Interface" option as the translated address for an IPSec VPN tunnel...then what would you use as the Local Encryption Network?

Would it be what the Outside-Network Subnet ID is?

NAT:

Source: DMZ-network/24

Destination: X.X.X.0/24

Translated Address:  A.A.A.66/28

IPSec VPN:

Name (Remote Peer IP):  X1.X1.X1.193

Local Network:  outside-network/28????? (or could this just be the NAT'd to IP address A.A.A.66/28)?

Remote Network: X.X.X.0/24

Thoughts?


Thank you for the help,

E

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎03-27-2012 06:27 AM

Hi,

In our case atleast, usually there is NAT0 / NAT Exempt for all L2L VPN traffic.

I guess you will just want to PAT all traffic from one site to the other? So basicly only one site would be establishing the connections in this L2L VPN setup? (Since you can't access host behind the PAT translations only)

To my understanding if you want to use some PAT address on your firewall as the source address for the L2L VPN traffic, you use the PAT address as your local network in the encryption domain configurations.

For example we have a setup where we have a /24 public network on our outside interface of ASA

Our encryption domain ACL therefore  has the whole /24 public network range as the source address for the L2L VPN. Some of the translations are simple PAT translations. Some are Policy PAT translations. Some are just static NATs.

Please rate if you found any information helpfull.

- Jouni

ementzer7
Level 1
Level 1
In response to Jouni Forss

‎03-27-2012 07:37 AM

Thank you for the feedback/help Jouni,

Sounds like using the "outside-network" public IP address network will be ok as the Local Encryption network for the L2L VPN?

After that, our DMZ can be PAT'd to the outside IP address of the interface itself to their remote "local" network.

Then in theory all should work.

Does the above sound right to you?

Thanks Again!

Eli

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents