cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
157
Views
5
Helpful
8
Replies
Highlighted

NAT issue in Site to Site VPN

Hi All,

I am establishing site to site VPN with one customer . Customer want to access our servers on port 389(ldap query).Below are network details:

Customer server IP-206.164.119.145

Our servers-10.240.26.224 & 10.240.26.225, 158.89.132.43

I established the vpn and it is working fine except for servers 10.240.26.224 and 10.240.26.225 because customer refused to add our servers private IP as destinations in their config. So can I make below scenario possible at our side.


Convert traffic coming from 206.164.119.145 for 158.89.132.43 :port X to 10.240.26.224: 389.
Convert traffic coming from 206.164.119.145 for 158.89.132.43: port Y to 10.240.26.225 : 389.
Convert traffic coming from 206.164.119.145 for 158.89.132.43 : port Z to 158.89.232.81 : 389.


Note-Traffic will be initiated from their end from their IP 206.164.119.145.

I dont want to waste two public IPs for our two servers. But I can get one public IP and replace with 158.89.132.43 if required. Also customer is not agreeing to suggest us two private IP that are not in use at their side so that we can do static nat for those servers at our side. They just want public IP from our side. I couldn't find such scenarios on Cisco forum or configuration guides. Please suggest what can be done in this scenario

Thank you.

8 REPLIES 8
Highlighted
Hall of Fame Guru

Technically you could use public IPs that are not officially allocated to you. Traffic initiated from the customer end hits the crypto map at the remote end and is encapsulated in the tunnel and sent on to your end.

They get decapsulated and, on the path through your ASA, get un-natted back to your 10.x addresses.

For the reverse path, the opposite happens.

Highlighted

Thanks Marvin for the quick reply.

Can I use 158.89.132.43 for NAT?This is the IP assigned to one of our three LDAP servers.

I mistakenly mentioned wrong IP in my initial ques. Below is correct scenario: 

Convert traffic coming from 206.164.119.145 for 158.89.132.43 :port X to 10.240.26.224: 389.
Convert traffic coming from 206.164.119.145 for 158.89.132.43: port Y to 10.240.26.225 : 389.
Convert traffic coming from 206.164.119.145 for 158.89.132.43 : port Z to 158.89.132.43 : 389.

Customer server IP-206.164.119.145

Our servers-10.240.26.224 & 10.240.26.225, 158.89.132.43

Note-Traffic will be initiated from their end from their IP 206.164.119.145.

or I need to use one unused public IP and replace 158.89.132.43 with that. I am confused because generally we use one to one static NAT for destination.

Highlighted
Frequent Contributor

It is possible to add 158.89.132.43 to the crypto ACL though it would be simpler to obtain a new public address. Once a public address is added to the tunnel, you can use a static NAT rule just as you would use it without VPN.

Highlighted

Thanks Peter for the inputs.

Does it mean that I can hide my all servers 10.240.26.224 & 10.240.26.225, 158.89.132.43 behind 158.89.132.43.I contacted Cisco TAC and one engineer informed me that if i use pat for my servers and  traffic initiate from other end then tunnel will not come up.Is it true?

Highlighted

You are using static service translation, so ports should come up both ways. More is concern that now user will have to change LDAP ports for your servers, plust you would have to NAT only specific ports from your servers to new ports on Public IP... It's messy... Juist use 2 Public IPs, it's not true that you will waste it, you can leave same Public IPs in use for other services outside of VPN.

Highlighted

Thanks Mile.

Because public IP will remain in S2S tunnel we can still use it in outside VPN. 

Highlighted

although port specific crypto ACL is not recommended but we can use it. For any restriction VPN filter is recommended in new group policy. I will first try to get public IP to make things simple.

Thanks for the inputs:)

Highlighted
Frequent Contributor

Actually I'm not absolutely positive, but I would try it with a port-specific crypto ACL such as

  • permit ip host 206.164.119.145 host 158.89.232.81 eq 389