Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2731
Views
0
Helpful
2
Replies

Site-to-Site IPSec VPN Encryption domain question

Go to solution
Craddockc
Level 3
Level 3

‎01-24-2017 12:39 PM - edited ‎02-21-2020 09:08 PM

Dear Community,

I am set to build a site to site IPSec VPN from a Cisco 5545x ASA to a client. We are going to NAT our internal traffic (the interesting traffic) before sending it to the remote peer, so they will be acceptiong traffic from our external address range. My question is, when im defining the interesting traffic for the encryption domain on our side in the VPN setup procedures, do I define the inside local addresses (the internal private IP's) or do I define the outside local addresses (the NATed external IPs) in the setup? I ask because im not sure if the IPs get NATed before being placed into the tunnel or after. The ASA will be hosting the tunnel and doing the NATing as well through the NAT Policy.

Thanks.

Chris.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-24-2017 12:44 PM

NAT takes place before crypto policies are checked. So your crypto access-lists should have the translated ip address (external).

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-24-2017 12:44 PM

NAT takes place before crypto policies are checked. So your crypto access-lists should have the translated ip address (external).

0 Helpful

Go to solution
Craddockc
Level 3
Level 3
In response to Rahul Govindan

‎01-24-2017 12:46 PM

Rahul,

Thanks so much for the clarification. I truly appreciate it!

0 Helpful
Customers Also Viewed These Support Documents