cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
0
Helpful
5
Replies

Site to Site VPN wants to use the natted IP address as local subnet for the tunnel

sfarazaz123
Level 1
Level 1

Hi all respected members,

Let me explain my words through a scenario.

Scenario:

Our customers client want a site to site tunnel between their office and our data center. Both sites have the ASA 5512-x firewall.They dont want to expose their internal servers for some security reason.

In the VPN tunnel instead of using the local subnets like 192.168.10.0/24 they want to use the natted IP address like outside to reach the Firewall inside server in the data center through the VPN tunnel.

My questions:

1) I think it should be possible but not sure how we do it.Data center has only one server for this customer with 192.168.10.100/24 IP address and the subnet is mapped to outside ip address for internet access.

2) Normally we allow the local and remote networks in the tunnel and not use the natted IPs as local or remote subnets. 

Can we use the OUTSIDE IP address as the local subnet for that tunnel.? if yes how?

Both side need to use the natted IP address or only i can use the natted IP address as local subnet on my site only?

They want both local and remote subnets should use the natted IP address as they want encrypted traffic for that communication.

One suggestion is also to use one natted IP for internal server and use filters not sure also about that.

I hope i convey my message but please write back if you didnt understand.

Summary:

Use natted IP as local subnet rather than internal subnets. Both sides or single side.

1) natted local vs natted remote in the tunnel.

Br

Far

5 Replies 5

Pawan Raut
Level 4
Level 4

Hi,

This is very simple you can use the Natted IP address as Local subnet also make sure that remote end have exactly reverse vpn encrption acl as you have.

Nat your internal IP like 192.168.10.1 with NAT Ouside IP like 1.1.1.1 and supposed remote subnet is 2.2.2.0/24

the encryption acl would be 

ip access-list extended VPN-ACL

permit ip host 1.1.1.1 2.2.2.0 255.255.255.0

and remote end would have acl like 

ip access-list extended VPN-ACL

permit ip host 2.2.2.0 255.255.255.0 1.1.1.1 .

Also it is not necessary remote end should NAT their IP in such case but they can also do the NAT their subnet.

Hope you got all your points and  wil rate the useful post

Hi Pawan,

ASA version 9.2 (2) 4

Is my NAT rule correct for this configuration

nat (inside,outside) source static 10.201.100.100 5.5.5.5 destination static remote-nat-ip-9.9.9.9 remote-nat-ip-9.9.9.9 ?

One more question 

If i want to apply the ACL for some ports like ssh than should i apply it on outside or inside. ?

Thannks

Br

Far

Yeah Nat rule is correct but in syntax it wont take ip directly so you have create seperate object for that ip and use that object in place of ip. 

Also it will bypass outside acl so you have to configure it on inside interface acl. 

Ok, I know that we use OBJs.

If possible can you send asdm example ?

i am asdm guy....

Br

Far

Plz see link has given details steps of Nat in asdm.  Kindly rate the post if you feel it helpful. 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/nat_objects.html