Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4022
Views
10
Helpful
18
Replies

Question S2S VPN using Public IP

Go to solution
Terence Lockette
Level 1
Level 1

‎04-20-2018 07:33 AM - edited ‎03-12-2019 05:13 AM

Hello,

 

I have a few of questions regarding a S2S VPN set up I'm being asked to complete.  To give you some background, a vendor is requesting a many-to-one NAT from our 2 of our internal hosts to a single public IP address and wants to use this public IP to be able to send across the encrypted tunnel.  Normal VPN tunnels (that I've configured) typically encrypts the traffic between the internal LANs on both sides of the tunnel.  They said they can accommodate the use of a many-to-one internal IP to another single internal IP if we don't want to use a public IP.  Here are my questions:

 

1. How common is it to use a public IP address for a S2S VPN tunnel (not the public IP peer address) for the interesting/encrypted traffic?

 

2. Their documentation says many-to-one or PAT which is what we already have set up for Internet access for our internal hosts (using a range of public IP addresses).  How does this type of configuration work since we're already using PAT?

 

3. If we went the many-to-one internal NAT to another private IP address, how do I set this up?

 

I know there's going to be many questions but please feel free and I'll provide as much details as I can.  I just want to get the discussion going so I have a better understanding.

 

Thanks!

Labels:
0 Helpful
18 Replies 18

Go to solution
Terence Lockette
Level 1
Level 1
In response to Marius Gunnerud

‎05-02-2018 06:47 AM

Another question,

 

When I create the network object for the local side of the tunnel, do I need to specify the NAT config under that object to NAT the real IP behind another private IP?  For instance,

 

Real IP: 10.1.1.100 & 10.1.1.101

NAT IP: 192.168.1.10

object network LOCAL-IP

 range 10.1.1.100 10.1.1.101

 nat (inside,outside) dynamic 192.168.1.10

 

If not, then how does the firewall know to NAT the real IP address behind the private IP I need it NAT'd to?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Terence Lockette

‎05-02-2018 07:03 AM

This will NAT all traffic from LOCAL-IP and send it over the VPN (unless that is desired)

Instead use twice NAT.  I am using 172.16.1.1 as remote IP for this example. Change it to what you need.

Real IP: 10.1.1.100 & 10.1.1.101

NAT IP: 192.168.1.10

object network REMOTE-IP

  host 172.16.1.1

object network NAT-IP

  host 192.168.1.10

object network LOCAL-IP

 range 10.1.1.100 10.1.1.101

nat (inside,outside) source dynamic LOCAL-IP NAT-IP destination static REMOTE-IP REMOTE-IP

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Marius Gunnerud

‎05-02-2018 07:06 AM

Ahhhh ok I got you.  I will be setting up the tunnel on my side of the connection today and will have to wait for the vendor to complete their side.  Once connectivity has been confirmed, I'll respond with the results.

 

Thanks again!

0 Helpful

Go to solution
Terence Lockette
Level 1
Level 1
In response to Marius Gunnerud

‎05-08-2018 07:12 AM

This worked like a charm and I was able to get this tunnel configured but using a private IP for the many-to-one NAT.  Thanks again for your help!

 

Terence

0 Helpful
Customers Also Viewed These Support Documents