NAT and VPN question - Page 2

mjsully · ‎03-13-2015

On ASA running 8.2, firewall is configured to PAT all inside networks when going out to the internet, to the interface of the outside firewalls interface.

Setting up a new VPN, if I don't setup an ACL to bypass NAT, can the defined inside hosts in my crypto ACL still get PAT'd to the same outside ip before it goes to the remote end. In otherwords, can it PAT to the same ip address that would be the peer address from the remote end's perspective? remote side can only accept a public IP, and we have no other IP's to use, so looking to see if and how this can be achieved.

thanks

Jon Marshall · ‎03-15-2015

I'm a pretty straight-forward kind of person, so if I come off oddly, it's certainly not intended.

No problem, you certainly didn't come across like that and what you said are reasonable assumptions to make.

To be honest I don't miss the days when I had to set these things up. Trying to talk someone on the other end of a phone line through the configuration when they have little or no experience with VPNs required a lot of patience and just occasionally, if I was already having a bad day, I came very close to completely losing it.

I suspect we've both been there and if you haven't then you're a better man than me :-)

Jon

Jon Marshall · ‎03-13-2015

Yes, that should work fine.

All your internal IPs will be seen as the public IP address at the other end.

If your crypto map is referencing the private IPs then you need to change it to reference the public IP instead and obviously the remote end need to do the same.

And because it is PAT then you will only be able to initiate the connection from your end.

Jon