Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN tunnel and NAT

I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?

For instance lets say I have the following configured.

interface gig 0/0

nameif outside

ip address 172.30.10.1 255.255.255.248

static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server

Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: VPN tunnel and NAT

Ryan.Bachman wrote:

I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?

For instance lets say I have the following configured.

interface gig 0/0

nameif outside

ip address 172.30.10.1 255.255.255.248

static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server

Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible?

Thanks.

Ryan

Yes this is perfectly possible. The key thing to note is that in your crypto map access-list you must use the Natted address ie. x.x.136.20 and not the real address ie. 192.168.1.20.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: VPN tunnel and NAT

Ryan.Bachman wrote:

I have a client that requies a L2L VPN tunnel to be established to secure FTP file transfers, but also don't allow private IP addresses to be sent over VPN tunnel  I have an ASA 8.0.4 available to terminate the VPN tunnel, and my question is, can I terminate the VPN on the outside interface, and still be able to go through the NAT process so I can use the public nat address of the ftp server  to send over the VPN?

For instance lets say I have the following configured.

interface gig 0/0

nameif outside

ip address 172.30.10.1 255.255.255.248

static (DMZ,Outside) X.X.136.20 192.168.1.20<-----FTP server

Tunnel will terminate on 172.30.10.1, but I want to be able to use the X.X.136.20 Ip address for the ACL in my crypto map.  Possible?

Thanks.

Ryan

Yes this is perfectly possible. The key thing to note is that in your crypto map access-list you must use the Natted address ie. x.x.136.20 and not the real address ie. 192.168.1.20.

Jon

New Member

Re: VPN tunnel and NAT

Easy enough

Thanks for the prompt response.

188
Views
0
Helpful
2
Replies