Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
10
Helpful
3
Replies

Cisco ASA S2S with public range as encr.domain

Go to solution
Patrik Nechajev
Level 1
Level 1

‎01-27-2023 12:44 AM - edited ‎01-27-2023 12:45 AM

Hello all,

we need to build s2s with bigger company via standard policy-based VPN. However they are not accepting private ranges as encr. domain (i guess because of overlapping?), instead they want to use public IP range with NAT to servers. There are 3 servers with private IP's and each server should have its public IP in encr. domain.

Instead of outside interface i also have /29 DMZ with some free public IP's. This means that i can use this range as encr. domain and then 1:1 NAT to private servers? So no NAT exempt needed? 

Some example would be really appreciated.
Thank you. 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Patrik Nechajev

‎01-27-2023 01:19 AM

@Patrik Nechajev yes, that seems right - you'll just create network host objects to represent those networks/hosts.

And yes 1.1.1.1 (the translated source) will be used in the crypto ACL, repeat for any additional NATs.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎01-27-2023 12:56 AM

@Patrik Nechajev That will work. This example below will translate the host in the object ORIGINAL-SRC to the host in the object TRANSLATED-SRC.

nat (INSIDE,OUTSIDE) source static ORIGINAL-SRC TRANSLATED-SRC destination static PARTNER PARTNER

Replace interface names with your real names and use network objects. Create additional NAT rules for additional objects.

Your VPN crypto ACL will need to reference the TRANSLATED-SRC network/host instead of the real network.

Go to solution
Patrik Nechajev
Level 1
Level 1
In response to Rob Ingram

‎01-27-2023 01:12 AM

So lets say our internal server has 10.0.0.1(customer interface), my public IP from DMZ (dmz interface) range is 1.1.1.1, partner public IP 2.2.2.2 then:

nat (customer,DMZ) source static 10.0.0.1 1.1.1.1 destination static 2.2.2.2 2.2.2.2   (and this rule will be used instead of standard NAT exempt) right?
And in crypto 1.1.1.1 will be used?  

Thanks!

 

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Patrik Nechajev

‎01-27-2023 01:19 AM

@Patrik Nechajev yes, that seems right - you'll just create network host objects to represent those networks/hosts.

And yes 1.1.1.1 (the translated source) will be used in the crypto ACL, repeat for any additional NATs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents