VPN Tunnel and internet access

groberton · ‎07-21-2005

Hello

I want to clarify if what we are seeing is behaviour by design. We have a remote site connected to main site with pixs creating a VPN tunnel;

RemoteSite > PIXB > RouterB >WAN> RouterA > PIXA > MainSite

As the two sites are tunneling there's no NAT taking place at all. Traffic works both ways. The problem is the remote site has to use a router on the main site for internet access. Traffic originating on the remote site will not route through to the internet router on the main site unless there is a static statement for the internet network from inside to outside creating an xlate entry. Is this correct even for traffic entering the outside interface via a VPN tunnel? I know you would have to do this for general outside addresses from unknown hosts. Has anyone else seen this problem. We overcame it with static entries for all internet networks so that the pix knew the address appeared the same on both interfaces.

ciscokrishna · ‎07-23-2005

Hi,

What we see here is a natural behaviour of the networking devices. For any data to pass between two interfaces, even in the same device, they shud have a translation rule (static or NAT or PAT). This is to recognize the traffic and to maintain a state table. the device shud identify which packet belongs to which request so there shud be a xlate entry for all the traffic which flows out. this is must for even VPN. VPN traffic is also normal traffic once it leaves the device into the WAN/Internet. The only difference is the content of the packet is encrypted and not in a understandable format.

http://www.cisco.com/en/US/partner/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html

this has loads of stuff regarding NAT.

Please rate this post if you feel satisfied.