Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2055
Views
0
Helpful
2
Replies

NAT inside Site-to-Site VPN Tunnel

Go to solution
YECA911ORG
Level 1
Level 1

‎03-11-2010 02:07 PM - edited ‎03-11-2019 10:20 AM

I have to implement a site-to-site tunnel over an existing WAN link.  One of the routers currently NATs addresses from one LAN to the other (see diagram).

Firewall 2 does not yet exist - I plan on deploying it to accomplish the tunnel from Firewall 1 - to - Firewall 2.

Can I deploy Firewall 2, creating a VPN tunnel from Firewall 1 to Firewall 2, leaving the NAT functions (static, one-to-one) on Router 1, or would I need to perhaps have Firewall 2 do the NAT.

I am not sure if NAT can take place within a tunnel, and I suspect that it cannot.

Thank you in advance.

Drawing1.jpg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-11-2010 03:13 PM 

YECA911ORG wrote:
I have to implement a site-to-site tunnel over an existing WAN link.  One of the routers currently NATs addresses from one LAN to the other (see diagram).
Firewall 2 does not yet exist - I plan on deploying it to accomplish the tunnel from Firewall 1 - to - Firewall 2.
Can I deploy Firewall 2, creating a VPN tunnel from Firewall 1 to Firewall 2, leaving the NAT functions (static, one-to-one) on Router 1, or would I need to perhaps have Firewall 2 do the NAT.
I am not sure if NAT can take place within a tunnel, and I suspect that it cannot.
Thank you in advance.

Mike

If you are Natting the LAN addresses then yes you will need to do it on the firewalls because the IP header will not be available to the routers ie. the IP header available to the routers will have the source and dest IPs of the firewalls and not the LAN machines.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-11-2010 03:13 PM 

YECA911ORG wrote:
I have to implement a site-to-site tunnel over an existing WAN link.  One of the routers currently NATs addresses from one LAN to the other (see diagram).
Firewall 2 does not yet exist - I plan on deploying it to accomplish the tunnel from Firewall 1 - to - Firewall 2.
Can I deploy Firewall 2, creating a VPN tunnel from Firewall 1 to Firewall 2, leaving the NAT functions (static, one-to-one) on Router 1, or would I need to perhaps have Firewall 2 do the NAT.
I am not sure if NAT can take place within a tunnel, and I suspect that it cannot.
Thank you in advance.

Mike

If you are Natting the LAN addresses then yes you will need to do it on the firewalls because the IP header will not be available to the routers ie. the IP header available to the routers will have the source and dest IPs of the firewalls and not the LAN machines.

Jon

0 Helpful

Go to solution
YECA911ORG
Level 1
Level 1
In response to Jon Marshall

‎03-11-2010 03:40 PM

Thank you for the quick reply!

-MB

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card