Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
4
Replies

IPSEC and NAT

stevent
Level 1
Level 1

‎09-18-2001 11:13 PM - edited ‎02-21-2020 11:25 AM

I am doing a site to site vpn using two 1720's. I will be configuring NAT (static and overload) on both routers. The question is 1. When defining the traffic that gets encrypted by ipsec should i specify the private ip range or should i specify the public ip range?

2. I will be doing a static one-to-one nat for the mail, dns, ftp, http servers on the network. Do i still have to define in the access-list a rule to allow mail traffice through? if an access list is still required should it be e.g "access-list 101 permit tcp any 192.168.1.5 eq 25" which gets applied to the Serial interface or is it "access-lists 101 permit tcp any public ip eq 25" (the term public ip refers to any public ip)

Any help would be appreciated hope the above is clear.

Labels:
0 Helpful
4 Replies 4

almazana
Level 1
Level 1

‎09-19-2001 08:18 AM

I would specify the public address space, this is the out side of your network, and that particular interface represents your outside connectivity.

Much like BSD and ipfilter, you should define access-list for your interfaces considering both in and out traffic. For greater granulatiry, you should designate the servers entire address with wildcard masks. This way you filter the right tcp traffic to just the server that it is intended for.

0 Helpful

s.diyorio
Level 1
Level 1

‎10-17-2001 11:04 AM

If I understand your setup correctly the answers will be:

1. Define an access list devoted only to the IPSEC configuration. Specify the source of your private network allowed to the destination of the other side's private network.

2. Your access list to allow public traffic should be allowed to the static public address you specify in your NAT statement and should be applied to the outside interface.

0 Helpful

klittlefield
Level 1
Level 1
In response to s.diyorio

‎10-20-2001 02:11 PM

Perfect, s.diyorio nailed it down for you.

0 Helpful

optp
Level 1
Level 1

‎10-29-2001 10:57 AM

Hello, Stevent.

I have been doing some trying with IPSEC.

Concerning your first question, you can specify public IP addresses or private IP addresses. It depends on your network design. You have the option to specify internal or public IP addresses. It is up to you.

The most important thing to say is : both sides must be configured with public IP addresses. After these public interfaces, you can route to invalid addresses.

About your second question, remember that you must define everything that will pass. Everything you do not include in the access-list will be prevented to go through the tunnel.

I hope to help.

0 Helpful
Customers Also Viewed These Support Documents