Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
154
Views
0
Helpful
2
Replies

Help Setting up NAT - Cisco ASA with IPSEC/VTI VPN with Vendor

MattMH
Level 1
Level 1

‎06-19-2024 12:52 PM

I am not sure if this is possible, but I can't get it to work.

We recently setup an IPSEC/VTI VPN with 'vendor A'. That tunnel and VTI interface are up. Routes are being exchanged via BGP. The VPN was setup on a Cisco ASA. The ASA has 2 VPN's to 'vendor A' (in the AWS cloud).

The vendor source network is 10.223.4.0/24. My infrastructure is simply a conduit between Vendor A and Vendor B.

Vendor B has an IP address that Vendor A needs to connect to at 172.16.31.82.

However, 172.16.31.82 conflicts with Vendor A's network.

Vendor A's traffic is incoming on a tunnel interface and outgoing traffic routes to inside interface.

I was trying to NAT 172.16.31.82 to 172.16.255.254 and advertise 172.16.255.254 to vendor A. When they come across the VPN attempting to connect to 172.16.255.254, the ASA NAT's it to 172.16.31.82. However, I can't apply NAT commands to a VTI Interface. Also, I only want the NAT to be applied to vendor A. I cant have anything else on my network hit that NAT rule.

Is this possible?

0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎06-19-2024 12:58 PM

Can you share simple draw 

Thanks 

MHM

0 Helpful

Rob Ingram
VIP
VIP

‎06-19-2024 01:19 PM

@MattMH you cannot apply a NAT to a tunnel nameif, you'd have to use. "any" in the NAT rule instead.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card