01-20-2020 07:35 AM
Hello,
We have Site to Site VPN connectivity with one our partner, We are trying to leverage the access more as per the below details
1.) When Remote A users want to access the Remote B servers, at remote A it will be source NATed
2.) When Remote A Servers want to access the remote B servers it will be no NAT
3.) When Remote B users want to access the Remote A servers at Remote B it will be source NATed
4.) When Remote B server wants to access the remote A servers it will be no NAT
My big query was,
In the encryption domain ACL consider at remote site A, I have to allow the access from same remote site subnets with my no NAT server IP's as well as Source NATed public IP in the same ED ACL.
Will it cause any issues or it will work out
Ex: ( ED ACL)
****
IP access-list extended test
10 permit ip 10.10.0.0 0.0.0.255 192.0.0.0 0.0.255.255 - > For server to Server communication (NO NAT traffic)
20 permit ip host 200.10.1.1. 192.0.0.0 0.0.255.255 --> From users to Server communication (Source NATed traffic)
01-20-2020 08:01 AM
01-20-2020 10:41 AM
I have 4 subnets at remote A
10.10.0.0/16 - Server
10.20.0.0/16 - Server
172.12.0.0/24 - User subnet
172.18.0.0/24 - User subnet
Remote B subnet :
192.0.0.0/16
Consider my route and NAT statement at remote A is as follows:
Note : Remote A subnet and Remote B subnet don't have overlap networks
ip route 192.0.0.0 255.255.0.0 VPN Gateway
ip access-list extended NAT_ACL
permit ip 172.12.0.0 0.0.0.255 192.0.0.0 0.0.255.255
permit ip 172.18.0.0 0.0.0.255 192.0.0.0 0.0.255.255
ip nat pool NAT_IP 200.10.1.1 200.10.1.1 prefix-length xx
ip nat inside source list NAT_ACL pool NAT_IP vrf HHBP overload
IP access-list extended test
10 permit ip 10.10.0.0 0.0.0.255 192.0.0.0 0.0.255.255 - > For server to Server communication (NO NAT traffic)
15 permit ip 10.20.0.0 0.0.0.255 192.0.0.0 0.0.255.255 - > For server to Server communication (NO NAT traffic)
20 permit ip host 200.10.1.1 192.0.0.0 0.0.255.255 --> From users to Server communication (Source NATed traffic)
25 permit ip 192.0.0.0 0.0.255.255 host 89.11.1.1 --> Allow access from remote site B users ( source NATed at there remote b end)
Would like to know will there be any issue/impact in implementing the above scenaraio. Because i am not using NAT exemption statement, only doing the policy nat for certain traffic and leaving all the other traffic plain with out NAT. Whether this will create any issue to Site to Site VPN tunnel
Also using the same subnet (192.0.0.0/16) for both NAT and No NAT in encryption domain ACL will create any issue.
Please share me your thoughts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide