Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
195
Views
0
Helpful
1
Replies

site to site VPN, with VPN users coming in on the same outside interface, NAT

mdschofield
Level 1
Level 1

‎03-02-2017 05:45 PM

Hey guys,

I'm super new - I completely apologize.  I'll try to describe my problem, let me know if I need to provide any additional information.

I inherited a 5510 with 8.2.5 on it, writing the config to upgrade to current (and thus, going through the 8.3 code changes)

The device is currently set up with a site to site tunnel to one of our other sites on the OUTSIDE interface.

It also accepts VPN users on the OUTSIDE interface.

VPN users need to be able to have connectivity to devices on the INSIDE interfaces as well as our other sites on the OUTSIDE interface.

Do I write separate NAT statements for both the vpn users for both inside, and outside?   


Example:

nat (outside,inside) source static VPNUSERS VPNUSERS destination static INSIDESTUFFS INSIDESTUFFS

nat (outside,outside) source static VPNUSERS VPNUSERS destination static OUTSIDESTUFFS OUTSIDESTUFFS

Thanks for your insight.

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-02-2017 05:56 PM

Yes, since your destination is on different interfaces your usage of 2 NAT statements is correct.

You can collapse it to one statement if you use "any" as the destination interface and use the "route-lookup" keyword at the end of the NAT statement so that the egress interface is chosen based on routing table.

0 Helpful
Customers Also Viewed These Support Documents