Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
4
Replies

Ipsec tunnel + NAT

sridhar ch
Level 1
Level 1

‎12-12-2013 05:51 AM - edited ‎02-21-2020 07:23 PM

Hi,

I have given a task to setup a site-site VPN tunnel between my site and external vendor. Vendor wants the source IP to be a valid ISP IP instead of internal address. My question can i NAT the source at my end to the same IP which is acting as VPN Gateway (where the tunnel terminates in my ASA) i.e natting the source to the interface? will that work?

My source IP : 10.10.10.123

AAS Interface IP (acting as VPN GW for site-site vpn) : x.x.x.x

Source will NAT to : x.x.x.x

Thanks,

Sridhar

Labels:
0 Helpful
4 Replies 4

shine pothen
Level 3
Level 3

‎12-12-2013 06:11 AM

Hello Sridhar,

what do you mean by valid ISP IP instead of internal address.

please let us know what is ur intside and outside IP's

0 Helpful

sridhar ch
Level 1
Level 1
In response to shine pothen

‎12-12-2013 06:31 AM

vendor doesnt want to use the internal IP (in my case 10.10.10.123) to connect, instead of that he would like to use a public IP. My question is if i Nat my source IP (10.10.10.123) to the same interface which is acting as VPN GW will that work? if this recommened?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to sridhar ch

‎12-12-2013 06:40 AM

Hi,

You can use the your VPN Devices public IP address on the L2L VPN connection also but you will have to be carefull with the NAT configuration.

You would have to configure either Static PAT , Static Policy PAT or Static Policy NAT

You should NOT configure Static NAT using the interface IP address (of the ASA?) or you will potentially cause problems with traffic forwarding.

If you have other free public IP addresses then you can naturally use them for the configurations also.

EDIT: As stated above if this L2L VPN serves only connection from your site to the remote site then you probably wont need any additional NAT configurations as the internal hosts traffic should match the basic Dynamic PAT rule you have in place for any outbound traffic. If the remote site needs to form connections to your site then you would need some NAT configuration mentioned above.

- Jouni

0 Helpful

smetieh001
Level 1
Level 1

‎12-12-2013 06:38 AM

If vpn setup is on ASA then I guess what your vendor is asking for is the IP of your Outside interface of your ASA (which is a most likely a public IP or ISP given IP). You do not require a NAT since it probably exists if your internal IP (i assume 10..x.x.x range) have access to the internet. let us know if my assumptios are not currect and then clarify.

0 Helpful
Customers Also Viewed These Support Documents