Re: FTD Site to site VPN

NInja Black · ‎09-20-2020

Hi,

Setting up site to site VPN from ASA 5555 (FTD) to a clients firewall. Do I use the firewalls Outside interface IP address as VPN source IP NAT or an IP from the ISP assigned public range? Also will the private host IPs be NAT'd as the source IP NAT addresses?

Eduman · ‎09-20-2020

Hi NInja Black, you can do it either way and you will be ok as long as your intention is to have the public IP (on the outside) show up as the source of the packet on the other end. On your 2nd question, the answer is yes - your private host IPs will be NAT'd as the source if you specify them as the source in your NAT statement in the ASA.

NInja Black · ‎09-20-2020

Thanks Eduman for the quick response.

So if I am setting up multiple S2S VPNs with different peers I can use a unique IP from the public NAT range for each S2S VPN connection? Or use the one internet IP (FW Outside interface) for all S2S commections.

And as the internal IPs need to appear as NAT’d IP I don’t enable identity NAT, correct?

NInja Black · ‎09-30-2020

When configuring the VPN through FMC it only gives me option to select the interface and auto populates the IP address. How do I use an IP from the public NAT range as VPN tunnel IP?

Mohammed al Baqari · ‎09-30-2020

You need to configure the interface only. NAT will take place in backend
according to configured rule to NAT interface IP to public. You don't need
to select the public IP in the VPN config.

**** please remember to rate useful posts

NInja Black · ‎10-01-2020

Thanks for the response.

For VPN setup, the peer IP would be the FTD's outside interface IP and under NAT rules I will have to configure the PAT for the source IPs to translate to the Public IP from the NAT range. correct?