Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2332
Views
2
Helpful
20
Replies

NAT configuration for servers which act as both initiator & Responder

Aaida
Level 1
Level 1

‎05-29-2023 08:03 AM

Hi,

I am having below scenario.

1. I have one internal server a.a.a.a which having NATed IP b.b.b.b

2. The internal server is connecting to outside server c.c.c.c over ipsec VPN.

3. The outside server c.c.c.c will also initiate traffic to inside servers NAT IP b.b.b.b. which means both side initiation is there. Please note that i am not talking about reverse traffic of same session.

Now my question is whether i need to put two NAT rules, one to translate for inbound traffic and other to translate for outbound traffic. is that required. or one NAT rule will serve the purpose?

Labels:
20 Replies 20

Aaida
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2023 01:15 PM

a.a.a.a is our internal server which should be nated to b.b.b.b before sending to third party network.  Hence third party only knows natted ip. Their c.c.c.c also initiates traffic to our b.b.b.b over VPN. Hence when it comes to our  router , after decryption  the destinaton of packet should be natted to our original internal IP. Since this traffic is not a reverse packet of already initiated internal session I got confused whether I need to put one more nat rule for inbound traffic.  Hope this is clear 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Aaida

‎05-29-2023 01:22 PM

Yes it clear I want to be sure, 
so the b.b.b.b is IP of interface that is not config under it the IPsec crypto map ?

0 Helpful

Aaida
Level 1
Level 1
In response to MHM Cisco World

‎05-29-2023 01:49 PM

I am sorry,The question is not that much clear. b.b.b.b is an ip assigned particularly for nating purpose.  And the same will be configured in crypto map as well. 

MHM Cisco World
VIP
VIP
In response to Aaida

‎05-30-2023 04:32 AM

this not work Sorry as I know. 
but I will try lab today BUT 75% it not work. 
the traffic hit the ACL then NATing then send to Peer, other router see different IP than ACL of  policy VPN and not decrypt data.
thanks 
MHM

0 Helpful

paul driver
VIP
VIP

‎05-29-2023 11:52 PM

Hello

@Aaida wrote:

Now my question is whether i need to put two NAT rules, one to translate for inbound traffic and other to translate for outbound traffic. is that required. or one NAT rule will serve the purpose?

No you don't, just the one static NAT (not PAT) statement will be applicable to allow you to initiate egress-ingress connection towards the inside-global NAT ip address.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

EdsonZ
Level 1
Level 1

‎05-30-2023 06:55 AM

If possible please share your network design.

0 Helpful
Customers Also Viewed These Support Documents