• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

VPN Tunnel & Static NAT

One of our clients has a site to site VPN tunnel established.  The Peer Partner is requesting the ability to use a public IP statically NAT'd to our server in order to reach our local server since multiple remote sites from the peer have the same local ip scheme.  

We have a Cisco ASA 5505.

The tunnel is established, and I have a static NAT established but I'm unable to get the traffic to use the static NAT instead of the internal address.  

Any ideas?
2 Solutions
You need to setup policy NAT which will do NAT for specific destination.

static (Inside,Outside) <Public IP>  access-list VPN_NAT
access-list VPN_NAT extended permit ip host <INSIDE IP> <REMOTE NETWORK> <REMOTE NETWORK MASK>

You will also need to modify VPN configuration and change the <INSIDE IP> to <Public IP>. The remote peer will need to do the same or encryption domains will not match and VPN will not come up.
You can NAT and then encrypt traffic over the VPN; NAT takes place before crypto operations.

This would require changing the VPN, though, so that the VPN matches the public IP to which the server is NAT'd.

Just set up a static NAT and change the access lists for the VPN (each end has to be modified).

Policy NAT will work, but it is not strictly necessary.

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now