Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
740
Views
0
Helpful
3
Replies

Site to Site VPN with Single Source IP NAT/PAT translation

joguevil2008
Level 1
Level 1

ā€Ž01-23-2017 03:19 AM

Hello,

I am facing a Site to Site VPN configuration I am not used to doing it. A client asked us to establish an IPsec tunnel between our company and his headquarters and ask for a single IP NAT/PAT translation. I am used to configuring this kind of NAT through NAT pools but, in this case, we only have to NAT(PAT) to a single IP and I'm not sure how to deal with it. 

Could you help me with some guidelines, please?

Best Regards

Labels:
0 Helpful
3 Replies 3

JP Miranda Z
Cisco Employee
Cisco Employee

ā€Ž01-23-2017 05:12 AM

Hi 

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15243-19.html

About the S2S tunnel you only need to make sure the interesting traffic is from the PAT IP to the destination at the other site of the tunnel and the other site should have the same but mirrored.

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

joguevil2008
Level 1
Level 1
In response to JP Miranda Z

ā€Ž01-31-2017 02:03 AM

Hi again,

sorry but I couldn't read the doc till yesterday. I'm still not sure how to manage this. We are working with a Cisco 891 router to stablish this VPN and, once the phase 1 and phase 2 parameters are configured, we need to define the traffic that should pass through the tunnel. We usually face this escenario by using nat pools,

ip nat pool EXAMPLEpool 10.248.10.185 10.248.10.190 netmask 255.255.255.248

ip nat inside source list NAT_EXAMPLE pool EXAMPLEpool overload

 

ip access-list extended NAT_EXAMPLE

permit ip 192.168.0.0 0.0.0.255 10.69.0.0 0.0.0.255

 

ip access-list extended VPN_EXAMPLE

permit ip 10.248.10.184 0.0.0.7 host 10.69.0.0 0.0.0.255

where we use the NAT overload to change our source IPs to match the other end requirements.

But, in this specific case, we need to use a single IP instead of a pool and don't know if we have to attach it to an interface or something like that.

Best regards

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to joguevil2008

ā€Ž02-01-2017 05:37 AM

Hi joguevil2008,

Ok so seems like you need the steps to do it on a Router not an ASA, now if you need to PAT to an specific ip you can use a pool with only one ip like this:

ip nat pool EXAMPLEpool 10.248.10.190 10.248.10.190 netmask 255.255.255.255

ip nat inside source list NAT_EXAMPLE pool EXAMPLEpool overload

ip access-list extended NAT_EXAMPLE

permit ip 192.168.0.0 0.0.0.255 10.69.0.0 0.0.0.255

ip access-list extended VPN_EXAMPLE

permit ip 10.248.10.184 0.0.0.7 host 10.69.0.0 0.0.0.255

That example in case you need to use an specific ip (10.248.10.190) but you can always use an interface:

ip nat inside source list NAT_EXAMPLE interface gx/x overload

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents