cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
337
Views
10
Helpful
3
Replies

Cisco ASA S2S with public range as encr.domain

Patrik Nechajev
Beginner
Beginner

Hello all,

we need to build s2s with bigger company via standard policy-based VPN. However they are not accepting private ranges as encr. domain (i guess because of overlapping?), instead they want to use public IP range with NAT to servers. There are 3 servers with private IP's and each server should have its public IP in encr. domain.

Instead of outside interface i also have /29 DMZ with some free public IP's. This means that i can use this range as encr. domain and then 1:1 NAT to private servers? So no NAT exempt needed? 

Some example would be really appreciated.
Thank you. 

 

 

1 Accepted Solution

Accepted Solutions

@Patrik Nechajev yes, that seems right - you'll just create network host objects to represent those networks/hosts.

And yes 1.1.1.1 (the translated source) will be used in the crypto ACL, repeat for any additional NATs.

View solution in original post

3 Replies 3

Rob Ingram
VIP Master VIP Master
VIP Master

@Patrik Nechajev That will work. This example below will translate the host in the object ORIGINAL-SRC to the host in the object TRANSLATED-SRC.

nat (INSIDE,OUTSIDE) source static ORIGINAL-SRC TRANSLATED-SRC destination static PARTNER PARTNER

Replace interface names with your real names and use network objects. Create additional NAT rules for additional objects.

Your VPN crypto ACL will need to reference the TRANSLATED-SRC network/host instead of the real network.

So lets say our internal server has 10.0.0.1(customer interface), my public IP from DMZ (dmz interface) range is 1.1.1.1, partner public IP 2.2.2.2 then:

nat (customer,DMZ) source static 10.0.0.1 1.1.1.1 destination static 2.2.2.2 2.2.2.2   (and this rule will be used instead of standard NAT exempt) right?
And in crypto 1.1.1.1 will be used?  

Thanks!

 

 

 

@Patrik Nechajev yes, that seems right - you'll just create network host objects to represent those networks/hosts.

And yes 1.1.1.1 (the translated source) will be used in the crypto ACL, repeat for any additional NATs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers