Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
1
Replies

IKE behind NAT local IP

tahscolony
Level 1
Level 1

‎07-29-2015 07:16 AM

When building the Crypto keyring, and isakmp policy, what IP do I use for the local address?  Should it be the local interface IP that is natted to the public, or do I put the public IP that is natted on the firewall as a loopback on the router and use that?  Been so long since I setup one like this behind an ASA I forgot how!

 

EX: Interface G0/0 ip 192.168.100.1 -> ASA NAT IP 66.266.267.268

 

Interface Tunnel1

source IP 192.168.100.1

crypto keyring blah

local-address 192.168.100.1

crypto isakmp profile blah

local-address 192.168.100.1

 

 

OR

 

Interface loopback1

ip add 66.266.267.268

 

Interface Tunnel1

source IP 66.266.267.268 (or loopback1)

crypto keyring blah

local-address 66.266.267.268

crypto isakmp profile blah

local-address 66.266.267.268

 

 

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎07-29-2015 08:46 AM

The local address is optional, normally you don't need to specify it. But if you do, it's the address that the router is aware of. That's the routers own address.

0 Helpful
Customers Also Viewed These Support Documents