Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1249
Views
0
Helpful
2
Replies

IPSEC VPN ACL & NAT-T

Go to solution
Mokhalil82
Level 4
Level 4

‎10-15-2019 03:02 AM - edited ‎02-21-2020 09:46 PM

Hi

 

I am configuring an IPSEC VPN on the ASA and I am a little unsure on the VPN ACL and would appreciate some advice.

 

So this is a site to site VPN to a 3rd party and we will be accessing their systems. We both have clashing internal IPs so have decided to NAT our IPs behind a single address, and the 3rd party will do the same.

 

My questions are:

1) On the VPN ACL, is the source going to be my internal addresses or the Natted address?

2) Would I require NAT-T to remain enabled as the traffic will also be natted at destination as the 3rd party will be hiding their internal addresses behind a NAT address.

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-15-2019 03:11 AM

Hi,
Your VPN ACL would reference the natted IP address(es), as this is what the 3rd party peer would expect to see traffic from and what the SAs will be built using. You would define a NAT exemption rule to translate from original source to translated source...

What type of traffic is expected to be sent over the tunnel? Are you just accessing 3rd party resources?
You might need to define a lot of static 1-2-1 NAT rules, rather than hide nat behind 1 ip address.

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎10-15-2019 03:11 AM

Hi,
Your VPN ACL would reference the natted IP address(es), as this is what the 3rd party peer would expect to see traffic from and what the SAs will be built using. You would define a NAT exemption rule to translate from original source to translated source...

What type of traffic is expected to be sent over the tunnel? Are you just accessing 3rd party resources?
You might need to define a lot of static 1-2-1 NAT rules, rather than hide nat behind 1 ip address.

HTH
0 Helpful

Go to solution
Mokhalil82
Level 4
Level 4
In response to Rob Ingram

‎10-15-2019 03:52 AM

We are just accessing 3 resources over https, ssh and rdp using the same destination IP. The 3rd party will do NAT translations based on the destination port number we are using, their NAT will translate to the specific internal IP address.

So the idea is we are coming from a single source IP on various source ports, to a single destination on certain destination ports (443, 22, 3389). The 3rd party will translate the destination based on the destination port we are using. From our source perspective, we are hiding the internal user IP's behind a single address

0 Helpful
Customers Also Viewed These Support Documents