Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
10
Helpful
4
Replies

Site to Site VPN over Internet

Go to solution
benolyndav
Enthusiast
Enthusiast

‎02-17-2023 08:58 AM

Hi

We have a site to site VPN from one of our Firewalls to a 3rd party in azure, should the traffic be natted or is it ok to have nat exemption in place for the servers traversing the VPN.??

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to benolyndav

‎02-17-2023 09:34 AM - edited ‎02-17-2023 09:41 AM

@benolyndav if you use a NAT exemption rule, you use the real IP address - that way the peer network can communicate bidirectional with the real IP address. It depends on what services were being used, for example if DNS lookups are required this would resolve the real IP address and communication could be established. If you were nattting over the VPN and a DNS lookup is performed it would resolve the real IP address, but traffic is natted to a different IP address and subsequent DNS resolution would fail.

If you wish to hide your real network, then you may wish to NAT. I generally NAT over a VPN as an exception, depending on who the VPN is with.

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎02-17-2023 09:00 AM - edited ‎02-17-2023 09:05 AM

Hi@benolyndav I'd configure NAT exemption for traffic over the VPN, but it depends on what you defined as interesting traffic. As in if the peer VPN is expecting traffic from the real IP or the NAT ip address.

 

Go to solution
benolyndav
Enthusiast
Enthusiast
In response to Rob Ingram

‎02-17-2023 09:10 AM

Hi Rob

Great thats what I was planning, whats the reasons we do it this way please.??
Thanks

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to benolyndav

‎02-17-2023 09:34 AM - edited ‎02-17-2023 09:41 AM

@benolyndav if you use a NAT exemption rule, you use the real IP address - that way the peer network can communicate bidirectional with the real IP address. It depends on what services were being used, for example if DNS lookups are required this would resolve the real IP address and communication could be established. If you were nattting over the VPN and a DNS lookup is performed it would resolve the real IP address, but traffic is natted to a different IP address and subsequent DNS resolution would fail.

If you wish to hide your real network, then you may wish to NAT. I generally NAT over a VPN as an exception, depending on who the VPN is with.

 

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎02-17-2023 09:19 AM

The policy based vpn need routing to destiantion to forward traffic'

In your case there is no routing for real IP but there is routing for mapped IP

That why you need to NAT real to mapped to forward traffic via tunnel.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents