We have a vendor that we need to create a S2S VPN with and they are only allowing public IP addresses for the source address. I assume this is because they don't want to deal with the potential overlap of private IP addresses from all of their clients. I never have encounter this before, so I am not sure how to proceed and what public IP address to use.
Should I create a static one to one nat for the device that needs to go across the VPN to an available public IP address?
Should I use the global pat address that users are seen on the internet as?
I inherited this network from a previous engineer and there are two S2S VPN's on the ASA 5520 that have the global pat address as the source address. My concern with this is that all internal traffic will be able to go across the S2S VPN.
Re: S2S VPN with public IP address as source address
If you have additional public IP address available on your internet pipe, you can create a policy static-nat to available
public-ip on your pipe (circuit), otherwise you can still use your existing public IP on your outside interface to policy-static nat.
Your tunnel end-points and the interesting traffic for vpn-tunnel will be your public address and remote public address.
I attached for you, Cisco documenation for creating poilicy static-nat, however it is for old version of ASA, however concept is remain the same, you need substitute version-7 static-nat to 8.6 version.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...