Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
10
Helpful
7
Replies

Site to site vpn

Go to solution
prashantrecon
Level 1
Level 1

‎01-19-2012 02:18 AM - edited ‎03-11-2019 03:16 PM

Hi All,

I have a queery using site to site vpn.

While configuring site to site vpn we make us NAT 0 (for interseting trafiic).

Let say My lan ip is 10.10.10.10 and is patted with 202.17.22.17.

And outside interface ip of firewall is 202.17.22.35.

I have created site to site vpn and mentioned 10.10.10.0 range in interseting traffic.

and far end interseting raffic is 192.168.10.0 range.

so when i run packet tracer command with inside as 10.10.10.10 and 192.168.10.4 as far end ip

In nat rules which ip it should display .

What is the exact use of NAT 0 in site to site tunnel

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to prashantrecon

‎01-19-2012 10:48 PM

Hello Prashant,

That is a different scenario, if both are the same you will need to do a policy nat so you can nat the host when they go to the other site.That would be all you need.

Regards,

Julio!

Do rate all post that help!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
ajay chauhan
Level 7
Level 7

‎01-19-2012 02:50 AM

Hi Prashant,

There are two things - NAT 0 and Policy NAT if i understood you correctly.

Lets say one end subnet 10.x.x.x.x Far end 192.x.x.x - and 10.x.x.x subnet also want to access internet so pat global (outside) or static nat will be there . In nat process nat 0 is processed frist so while commmunicating with 192.x.x.x packet should not get nattted . Here nat 0 works .

2nd policy nat which is just to change the identity for ex - overlapping of network so ofcourse nat should be on .

When you are using policy nat then nat0 should not be used .In packet tracer it will give you policy nat rules on step -NAT.

Thanks

Ajay

Go to solution
prashantrecon
Level 1
Level 1
In response to ajay chauhan

‎01-19-2012 08:03 PM

So let say if i donot use NAT 0 in interseting traffic .Does  it efect the site to site vpn.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to prashantrecon

‎01-19-2012 08:31 PM

Hello Prashant,

The thing with nat 0 with ACL is that does not generate or create an XLATE table..

I am not sure what you mean by this:

donot use NAT 0 in interseting traffi?

Of course, it affects as VPN traffic does not need to be natted when it goes to the other site unless you have overlapping networks.

Without it, it will get natted and the whole purpose of the VPN will be missed!!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
prashantrecon
Level 1
Level 1
In response to Julio Carvajal

‎01-19-2012 08:48 PM

Thank you.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to prashantrecon

‎01-19-2012 09:03 PM

Hello Prashant,

Is there anything else we could do for you??

If not please mark the question as answered so future users can learn from this question.

Regards.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
prashantrecon
Level 1
Level 1
In response to Julio Carvajal

‎01-19-2012 10:11 PM

Hi Jcarvaja,

If the lan ip of the both sides are of same range and i have static nat does vpn works ?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to prashantrecon

‎01-19-2012 10:48 PM

Hello Prashant,

That is a different scenario, if both are the same you will need to do a policy nat so you can nat the host when they go to the other site.That would be all you need.

Regards,

Julio!

Do rate all post that help!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card