Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
4
Replies

ASA-8.4(3)-IPSec VPN

Go to solution
Anukalp S
Level 1
Level 1

‎06-18-2013 06:36 AM - edited ‎03-11-2019 06:59 PM

Hi,

We are planning to set up a IPSec VPN L2L tunnel with a client. Our client is running some internal networks(didn't disclose) and will nat his internal network with X.X.X.X public ip. We also have internal networks 10.50.101.0/24 and will nat it with Y.Y.Y.Y public ip to establish tunnel.

I am confused here that after setting up tunnel how could we connect to their internal servers.

Suppose if client is running 10.100.110.0/24 then will we able to reach their internal IPs. Since how packets would reach to 10.100.110.0/24 segments because we are trying to reach X.X.X.X.

Need your help pls..!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Anukalp S

‎06-18-2013 07:16 AM

Hi,

If both endpoints are doing only Dynamic NAT/PAT towards eachother then the networks cant communicate with eachother.

If you really need to be able to connect to the remote site servers through L2L VPN connection then they will need to configure NAT0 or Static Policy NAT for their servers so you will have some specific destination IP address to which to connect to.

As I said already, if Dynamic NAT/PAT is the only NAT done on the remote site towards your site then you WONT be able to connect to their servers.

When you are configuring the the ACL for the L2L VPN then always configure it to match the NATed address for both the source and destination networks.

  • If you use NAT0 on your side then you specify the real local networks as the source in the L2L VPN ACL
  • If you use Static Policy NAT on your side then you specify the NATed address/network as the source in the L2L VPN ACL
  • If you use Dynamic NAT/PAT or Dynamic Policy NAT/PAT on your side then you specify the NATed address/network as the source in the L2L VPN ACL

The destination IP addresses/networks are naturally defined by the remote end. If they do NAT0 then you use their real networks as your destination address/network in the L2L VPN ACL. If they NAT their networks towards the L2L VPN connection then you naturally use those NAT IP addresses.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Naturally ask more if you still have questions.

- Jouni

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-18-2013 06:45 AM

Hi,

If the remote end is going to do Dynamic PAT for all the internal networks towards your site then there is no possibility for you to initiate connections to their servers.

They will either have to configure Static Policy NAT or NAT0 so that you can reach their internal servers.

- Jouni

0 Helpful

Go to solution
Anukalp S
Level 1
Level 1
In response to Jouni Forss

‎06-18-2013 06:54 AM

Hi Jouni,

I think they are doing dynamic NAT since they have whole internal segments not specfic IPs. And we are also doing dynamic NAT at our end. So in this case connectivity would not happen b/w internal networks.? Pls brief.

Also if he does NAT 0 then source would be client internal network & destination my internal network or the public IP(Y.Y.Y.Y) to with i am natting my internal networks. Need your help on this pls.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Anukalp S

‎06-18-2013 07:16 AM

Hi,

If both endpoints are doing only Dynamic NAT/PAT towards eachother then the networks cant communicate with eachother.

If you really need to be able to connect to the remote site servers through L2L VPN connection then they will need to configure NAT0 or Static Policy NAT for their servers so you will have some specific destination IP address to which to connect to.

As I said already, if Dynamic NAT/PAT is the only NAT done on the remote site towards your site then you WONT be able to connect to their servers.

When you are configuring the the ACL for the L2L VPN then always configure it to match the NATed address for both the source and destination networks.

  • If you use NAT0 on your side then you specify the real local networks as the source in the L2L VPN ACL
  • If you use Static Policy NAT on your side then you specify the NATed address/network as the source in the L2L VPN ACL
  • If you use Dynamic NAT/PAT or Dynamic Policy NAT/PAT on your side then you specify the NATed address/network as the source in the L2L VPN ACL

The destination IP addresses/networks are naturally defined by the remote end. If they do NAT0 then you use their real networks as your destination address/network in the L2L VPN ACL. If they NAT their networks towards the L2L VPN connection then you naturally use those NAT IP addresses.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Naturally ask more if you still have questions.

- Jouni

- Jouni

0 Helpful

Go to solution
Anukalp S
Level 1
Level 1
In response to Jouni Forss

‎06-18-2013 08:23 AM

Thanks For your info..Jouni.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card