Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
892
Views
0
Helpful
3
Replies

Can VPN endpoint also be the PAT address for Interesting traffic over a VPN S2S Tunnel?

edward.mcnicholas
Level 1
Level 1

‎01-12-2011 09:23 AM

On a ASA lets say my outside interface is 15.15.15.15. I am using this interface to PAT all my outbound traffic on the outside interface. I am also using this interface as a site to site VPN endpoint(peer). My internal network is 10.10.10.0/24. I am being asked to translate my internal private IP address to a Public IP address before routing over the site to site VPN tunnel. Will the PAT I have setup on my outside interface(15.15.15.15) work over the VPN tunnel even though this interface address is also being used as the VPN PEER address.

So I am asking if I can translate my internal 10.10.10.0/24 addresses to 15.15.15.15. Setup my VPN tunnel on the Outside interface which uses the 15.15.15.15 address as the local peer. Setup my interesting traffic using a source address of 15.15.15.15 to whatever destination.

I did give this a shot but it did not work. I am not sure if it was because this configuration is not acceptable, or if I screwed something else up.

Labels:
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-12-2011 09:31 AM

Hi Edward,

It should work fine.

You can use the outside IP to PAT the VPN traffic.

If you tried it and didn't work check that the translations are being build for the VPN traffic and that you have configured the VPN traffic to use the PAT address.

Federico.

0 Helpful

Gustavo Medina
Cisco Employee
Cisco Employee

‎01-12-2011 09:37 AM

Hello Edward,

Yes, it should work; here is an example:

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 interface

access-list VPN-Traffic extended permit ip host 15.15.15.15 X.X.X.X x.x.x.x (Remote Network)

crypto map external_map 90 match address VPN-Traffic

Just remember how PAT works (Unidirectional), what I'm trying to say is that the 10.10.10.0 will be able to initate the connection to the remote network, however the remote network will not be able to initiate the connection to your local network.


Regards,

0 Helpful

edward.mcnicholas
Level 1
Level 1
In response to Gustavo Medina

‎01-12-2011 09:58 AM

Thanks so much for your feedback. I will give it another try.

0 Helpful
Customers Also Viewed These Support Documents