03-19-2017 12:16 AM
Hi All,
I am establishing site to site VPN with one customer . Customer want to access our servers on port 389(ldap query).Below are network details:
Customer server IP-206.164.119.145
Our servers-10.240.26.224 & 10.240.26.225, 158.89.132.43
I established the vpn and it is working fine except for servers 10.240.26.224 and 10.240.26.225 because customer refused to add our servers private IP as destinations in their config. So can I make below scenario possible at our side.
Convert traffic coming from 206.164.119.145 for 158.89.132.43 :port X to 10.240.26.224: 389.
Convert traffic coming from 206.164.119.145 for 158.89.132.43: port Y to 10.240.26.225 : 389.
Convert traffic coming from 206.164.119.145 for 158.89.132.43 : port Z to 158.89.232.81 : 389.
Note-Traffic will be initiated from their end from their IP 206.164.119.145.
I dont want to waste two public IPs for our two servers. But I can get one public IP and replace with 158.89.132.43 if required. Also customer is not agreeing to suggest us two private IP that are not in use at their side so that we can do static nat for those servers at our side. They just want public IP from our side. I couldn't find such scenarios on Cisco forum or configuration guides. Please suggest what can be done in this scenario
Thank you.
03-19-2017 01:02 AM
Technically you could use public IPs that are not officially allocated to you. Traffic initiated from the customer end hits the crypto map at the remote end and is encapsulated in the tunnel and sent on to your end.
They get decapsulated and, on the path through your ASA, get un-natted back to your 10.x addresses.
For the reverse path, the opposite happens.
03-19-2017 01:58 AM
Thanks Marvin for the quick reply.
Can I use 158.89.132.43 for NAT?This is the IP assigned to one of our three LDAP servers.
I mistakenly mentioned wrong IP in my initial ques. Below is correct scenario:
Convert traffic coming from 206.164.119.145 for 158.89.132.43 :port X to 10.240.26.224: 389.
Convert traffic coming from 206.164.119.145 for 158.89.132.43: port Y to 10.240.26.225 : 389.
Convert traffic coming from 206.164.119.145 for 158.89.132.43 : port Z to 158.89.132.43 : 389.
Customer server IP-206.164.119.145
Our servers-10.240.26.224 & 10.240.26.225, 158.89.132.43
Note-Traffic will be initiated from their end from their IP 206.164.119.145.
or I need to use one unused public IP and replace 158.89.132.43 with that. I am confused because generally we use one to one static NAT for destination.
03-19-2017 06:53 AM
It is possible to add 158.89.132.43 to the crypto ACL though it would be simpler to obtain a new public address. Once a public address is added to the tunnel, you can use a static NAT rule just as you would use it without VPN.
03-19-2017 07:12 AM
Thanks Peter for the inputs.
Does it mean that I can hide my all servers 10.240.26.224 & 10.240.26.225, 158.89.132.43 behind 158.89.132.43.I contacted Cisco TAC and one engineer informed me that if i use pat for my servers and traffic initiate from other end then tunnel will not come up.Is it true?
03-20-2017 02:19 PM
You are using static service translation, so ports should come up both ways. More is concern that now user will have to change LDAP ports for your servers, plust you would have to NAT only specific ports from your servers to new ports on Public IP... It's messy... Juist use 2 Public IPs, it's not true that you will waste it, you can leave same Public IPs in use for other services outside of VPN.
03-22-2017 05:50 AM
Thanks Mile.
Because public IP will remain in S2S tunnel we can still use it in outside VPN.
03-22-2017 05:54 AM
although port specific crypto ACL is not recommended but we can use it. For any restriction VPN filter is recommended in new group policy. I will first try to get public IP to make things simple.
Thanks for the inputs:)
03-20-2017 12:20 PM
Actually I'm not absolutely positive, but I would try it with a port-specific crypto ACL such as
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide