• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

VPN Tunnel & Static NAT

One of our clients has a site to site VPN tunnel established.  The Peer Partner is requesting the ability to use a public IP statically NAT'd to our server in order to reach our local server since multiple remote sites from the peer have the same local ip scheme.  

We have a Cisco ASA 5505.

The tunnel is established, and I have a static NAT established but I'm unable to get the traffic to use the static NAT instead of the internal address.  

Any ideas?
0
TechGuy_007
Asked:
TechGuy_007
2 Solutions
 
SIM50Commented:
You need to setup policy NAT which will do NAT for specific destination.

static (Inside,Outside) <Public IP>  access-list VPN_NAT
access-list VPN_NAT extended permit ip host <INSIDE IP> <REMOTE NETWORK> <REMOTE NETWORK MASK>

You will also need to modify VPN configuration and change the <INSIDE IP> to <Public IP>. The remote peer will need to do the same or encryption domains will not match and VPN will not come up.
0
 
asavenerCommented:
You can NAT and then encrypt traffic over the VPN; NAT takes place before crypto operations.

This would require changing the VPN, though, so that the VPN matches the public IP to which the server is NAT'd.

Just set up a static NAT and change the access lists for the VPN (each end has to be modified).

Policy NAT will work, but it is not strictly necessary.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now