topic VPN encryption domain using private range in Network Security

VPN encryption domain using private range

Sunny Banks — Fri, 21 Feb 2020 17:39:19 GMT

Hello all,

I'm setting up a VPN with a 3rd party who have suggested the use of 172.16.8.0/26 as the encryption domain on my side of the tunnel (happy to do this to avoid wasting public IP's). There side of the encryption domain is 70.0.0.x/27. I am planning on using the 192.168.1.0/24 range for my internal network. A requirement from the 3rd party is that there are 11 IP's configured as static NAT. My question is how would I implement this config so the static NAT's are in place and that the rest of the interesting traffic uses PAT? Also, can I actually NAT private to private and if so where does my public IP (213.0.0.x) come into the equation?

I have added what I believe is correct but i'm obviously not entirely sure :-

access-list internet_1_cryptomap line 1 extended permit ip host 192.168.1.0 70.0.0.1 255.255.255.224

nat (inside,outside) source static 192.168.1.0 172.16.8.0 destination static 70.0.0.0 70.0.0.0

Re: VPN encryption domain using private range

Francesco Molino — Sun, 03 Nov 2019 03:38:39 GMT

Hi

The nat is correct because you're translating your original subnet to a xlated subnet and keep as is the destination.
However your acl should mention the xlated subnet to the destination subnet and here you're referring to the original source subnet.

Re: VPN encryption domain using private range

Sunny Banks — Mon, 04 Nov 2019 16:31:40 GMT

Francisco,

Thanks for the prompt reply. So something like this :-

access-list internet_1_cryptomap line 1 extended permit 172.16.8.0 255.255.255.192 70.0.0.0 255.255.255.224

nat (inside,outside) source static 192.168.1.0 172.16.8.0 destination static 70.0.0.0 70.0.0.0

Also, if i'm trying to configure some static 1-to-1 NAT's (and leave the rest for PAT) would this be correct :-

nat (inside,outside) source static 192.168.1.1 172.16.8.1 destination static 70.0.0.0 70.0.0.0

nat (inside,outside) source static 192.168.1.2 172.16.8.2 destination static 70.0.0.0 70.0.0.0

nat (inside,outside) source static 192.168.1.3 172.16.8.3 destination static 70.0.0.0 70.0.0.0

nat (inside,outside) source static 192.168.1.4 172.16.8.4 destination static 70.0.0.0 70.0.0.0

.................

nat (inside,outside) source static 192.168.1.10 172.16.8.10 destination static 70.0.0.0 70.0.0.0

nat (inside,outside) source static 192.168.1.0 172.16.8.0 destination static 70.0.0.0 70.0.0.0 <<<<<<<<<PAT for the rest

Thanks in advance. Your help is greatly appreciated.

Re: VPN encryption domain using private range

Francesco Molino — Tue, 05 Nov 2019 04:21:15 GMT

This should work.