12-12-2013 05:51 AM - edited 02-21-2020 07:23 PM
Hi,
I have given a task to setup a site-site VPN tunnel between my site and external vendor. Vendor wants the source IP to be a valid ISP IP instead of internal address. My question can i NAT the source at my end to the same IP which is acting as VPN Gateway (where the tunnel terminates in my ASA) i.e natting the source to the interface? will that work?
My source IP : 10.10.10.123
AAS Interface IP (acting as VPN GW for site-site vpn) : x.x.x.x
Source will NAT to : x.x.x.x
Thanks,
Sridhar
12-12-2013 06:11 AM
Hello Sridhar,
what do you mean by valid ISP IP instead of internal address.
please let us know what is ur intside and outside IP's
12-12-2013 06:31 AM
vendor doesnt want to use the internal IP (in my case 10.10.10.123) to connect, instead of that he would like to use a public IP. My question is if i Nat my source IP (10.10.10.123) to the same interface which is acting as VPN GW will that work? if this recommened?
12-12-2013 06:40 AM
Hi,
You can use the your VPN Devices public IP address on the L2L VPN connection also but you will have to be carefull with the NAT configuration.
You would have to configure either Static PAT , Static Policy PAT or Static Policy NAT
You should NOT configure Static NAT using the interface IP address (of the ASA?) or you will potentially cause problems with traffic forwarding.
If you have other free public IP addresses then you can naturally use them for the configurations also.
EDIT: As stated above if this L2L VPN serves only connection from your site to the remote site then you probably wont need any additional NAT configurations as the internal hosts traffic should match the basic Dynamic PAT rule you have in place for any outbound traffic. If the remote site needs to form connections to your site then you would need some NAT configuration mentioned above.
- Jouni
12-12-2013 06:38 AM
If vpn setup is on ASA then I guess what your vendor is asking for is the IP of your Outside interface of your ASA (which is a most likely a public IP or ISP given IP). You do not require a NAT since it probably exists if your internal IP (i assume 10..x.x.x range) have access to the internet. let us know if my assumptios are not currect and then clarify.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide