Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
4
Helpful
5
Replies

Implement Site to Site VPN...Need Help...

harsha senaratna
Level 1
Level 1

‎09-28-2012 01:56 AM

hi all ,

I need to implement site to site vpn tunnel between A and B two Endpoints.


Ultimate Goal - Communicate between Node X and Y

Our Side:

A - resides in DMZ
X - resides in Server Farm  ( Access Y Server by Browsing http://192.168.X)


It is requires to do a NAT in Router A  and     

               a) hide source address flowing       (Address X --> Can translate it to a Address - P ) 
               b) 192.168.1.X should route using a different address in OUR Side (Address Y --> Can translate it to a Address - Q)

But Router A contains only One Single interface (Gi 0/1). How can I do the NAT according to my situation ?  (I cannot terminate the S2S VPN in Our Side Border Router. It should terminate in Router A)

What are the IP's I should use to configure Interesting Traffic ?

Your responses are highly.

Thanks

Labels:
Preview file
63 KB
0 Helpful
5 Replies 5

Harish Balakrishnan
Spotlight
Spotlight

‎09-28-2012 08:57 AM

Hello Harsha,

are you doing this on ASA or IOS ? please let me know the device details at either end

regards

Harish.

0 Helpful

harsha senaratna
Level 1
Level 1
In response to Harish Balakrishnan

‎09-28-2012 10:00 AM

hi Harish,

In our side it's a cisco 7206 GXR and other end check point firewall.

Harsha

0 Helpful

Harish Balakrishnan
Spotlight
Spotlight
In response to harsha senaratna

‎09-28-2012 10:06 AM

Hello Harsha,

can you explain how your internal traffic reaches your 7206, i mean what are other devices in between . Also you have mentioned you have only 1  interface on 7206 .. cab you explain bit more on that

regards

Harish.

0 Helpful

harsha senaratna
Level 1
Level 1
In response to Harish Balakrishnan

‎09-28-2012 10:18 AM

hi Harish,

Once I reach the A Router through my X server I'll find another router and a firewall between them. It's required to build the tunnel between Router A and B while hiding my Internal Network to the peer end.

Since I did have a single Interface Gi 0/1 I defined a Loopback Interface as a outside.

Router A config:

interface gi 0/1

ip nat inside

int lo 1

ip nat outside

ip nat inside source static X  P

ip nat outside source static Y Q

But once I send a icmp message from server X to the Y server I cannot see any nat translations on my Rouer A "debug ip nat"

What should I do in order to hide my internal network ?

Harsha

0 Helpful

Harish Balakrishnan
Spotlight
Spotlight
In response to harsha senaratna

‎09-28-2012 01:11 PM

Hello Harsha,

i guess you are upto configure nat on a stick but in order this to work, we have to send the traffic to loopback then only NAT would work.

what you can do is to create a policy based routing ( PBR) and set the interface as loopback1 for the intresting traffic  and apply that in the router G0/1 interface.

Hope this helps

Harish.

Customers Also Viewed These Support Documents