Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1682
Views
0
Helpful
3
Replies

NAT and interesting Traffic ACL

Go to solution
SandevChopra07800
Level 1
Level 1

‎11-11-2020 12:09 PM

Hi Folks, I need to configure a VPN tunnel from my CSR in such a way that I will have to PAT all interesting traffic to the outside interface ip. So lets say my Interesting Traffic ACL is src: my-local-subnet to dest: some-hosts-on-the-cust-side. I will then have to PAT it. Command is - 

ip nat inside source list INTERESTING-TRAFFIC-ACL interface gig1 overload extended

 

This is due to the Customer requirement to only allow 1 ip in the interesting ACL on their side and not get into overlapping subnet problems. Now the thing that is puzzling me is that, the interesting Traffic ACL is not matching on both the ends. How will the tunnel come up? 

Thoughts? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-11-2020 12:29 PM

If you are natting behind the outside interface you don't need another nat rule, the nat rule in your first post would achieve the desired result. You'd just need the crypto ACL to reference the source as the outside interface ip address rather than the real IP address.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-11-2020 12:14 PM

Hi @SandevChopra07800 

The crypto ACL that defines the interesting traffic will need have the NAT IP address defined instead of the real IP address.

 

HTH

0 Helpful

Go to solution
SandevChopra07800
Level 1
Level 1
In response to Rob Ingram

‎11-11-2020 12:22 PM

Thnx. So in that case I will need 2 ACLs, one for the crypto and the other with real src-subnets that will be referred in the NAT statement? In other words - 

CRYPTO-ACL: src: outside-intf-ip, dst: cust-hosts  -----> Interesting Traffic ACL, will be matched/reversed on the Cust side. 

OTHER-ACL: src: local-subnet, dst: cust-hosts   ----> Will be used in the NAT statement as above. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎11-11-2020 12:29 PM

If you are natting behind the outside interface you don't need another nat rule, the nat rule in your first post would achieve the desired result. You'd just need the crypto ACL to reference the source as the outside interface ip address rather than the real IP address.

0 Helpful
Customers Also Viewed These Support Documents