Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using VPN Gateway IP as encryption domain IP

Dear All,

 

Please kindly help me with the scenario below.

 

We are trying to establish the site to site VPN with a partner who only accepts public IPs as encryption domain. Unfortunately, we have only one public IP address for internet access which means we are doing NAT overload.

My question is how can we configure the same IP assigned to our VPN gateway as encryption domain and map to the original private IPs.  

 

Regards

 

Timothy

Everyone's tags (2)
2 REPLIES
Bronze

Re: Using VPN Gateway IP as encryption domain IP

Hello @oladapo20,

The trick here is the NAT, you can configure the Site to Site using the external IP and also including the same IP as source on your encryption domain ACL. Here is an example:

nat (inside,outside) source dynamic 10.10.10.0/24 interface destination static 10.x.x.70 10.x.x.70 no-proxy-arp route-lookup

access-list l2lvpn extended permit ip 40.1.1.1 host 10.x.x.70

crypto map test_map 1 match address l2lvpn
crypto map test_map 1 set peer 40.1.1.1
crypto map test_map 1 set transform-set ESP-3DES-SHA

tunnel-group 40.1.1.1 type ipsec-l2l
tunnel-group 40.1.1.1 ipsec-attributes
ikev1 pre-shared-key *

As you can see you are doing the NAT for your internal network to the interface going to 10.x.x.70, this traffic should be going through the VPN tunnel. If you already have the NAT for Interneta where you are NATting everything this should work also, the ASA will know how to send the traffic back to the internal resource.

The only downside is the remote end cannot initiate traffic since the ASA will not know where to send the traffic. If you can provide more info I can provide the exact commands for you.

HTH
Gio
New Member

Re: Using VPN Gateway IP as encryption domain IP

Hello, Gio

 

Thank you for the quick response and information. Unfortunately, Our router is not ASA so it is not possible to configure nat (inside, outside). However, we will try to translate your suggestion on the router.

 

Regards

Timothy

178
Views
0
Helpful
2
Replies
CreatePlease to create content