Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1715
Views
0
Helpful
4
Replies

NAT behind VPN

hsnanua2011
Level 1
Level 1

‎08-19-2011 11:57 PM - edited ‎03-04-2019 01:20 PM

Dear all,

I have a small Q,

in this scenario, we have a customer. The customer, does not want any private ip addresses sent over thru the IPSEC VPN. That is a problem, as all the servers has private IPs. Like 10.x.x.x.

A small illustration:

(LAN)------------------>VPN router---------------------->customer VPN router

My proposal, is that i introduce a router between the LAN netwook and my VPN router to do the NAT, converting the private ip addresses into public IP addresses and then sending it over the VPN.

(LAN)----------->NAT router----------->VPN router-------------->customer VPN router

Would this be possible?

Thanks

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎08-20-2011 02:46 AM

Why not just do the NAT on the VPN router at your end ?

Jon

0 Helpful

hsnanua2011
Level 1
Level 1

‎08-20-2011 05:17 AM

Hi,

I am not allowed to play with the VPN Asa router.

Sent from Cisco Technical Support iPad App

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to hsnanua2011

‎08-20-2011 06:38 AM

Well it seems a bit expensive just to buy a router for NAT when you have a perfectly good ASA but yes you use a router for that function. You could do the Natting there.

Couple of things -

1) the public IPs you use cannot be part of a subnet that you have actually assigned to a physical interface on the ASA ie. you would need a separate subnet.

2) you would then have a route on the ASA router for this public IP subnet pointing to the outside interface of the router.

So even with a router you still need to make a modification to the ASA device. Personally i would just get whoever is allowed to play with the ASA to do the NAT on there. What you are proposing just adds unnecessary complication.

Jon

0 Helpful

hsnanua2011
Level 1
Level 1
In response to Jon Marshall

‎08-21-2011 07:11 AM

Hi Jon,

I manage to get access to the ASA, and now I shall use NAT on the ASA.

So, the diagram would be

Inside network ------------------->ASA-----------------------------------------VPN---------------------->Customer router

     10.x.x.x-----------------------> NAT (6.7.x.x)--------------------------------------------------------->

Sp, basically, i shall NAT my 10.x.x.x network ip into a puclic IP address (say, 6.7.x.x.) before sending it over on the VPN.

This is quite simple right? Anything I need to be aware of?

Thanks!         

0 Helpful
Customers Also Viewed These Support Documents