[c-nsp] Cisco ASA - presenting a NAT'd address to a VPN tunnel

Eric Girard egirard at focustsi.com
Mon Aug 31 14:30:02 EDT 2009


Mike,
        Yes, you can use a NAT'd address in the interesting traffic ACLs, just don't include the src/dst pair in you NAT exemption ACL.  Because the NAT is done before the VPN traffic selection, the NAT will be applied before it goes into the tunnel.  So this could be as simple as using your existing outside interface IP from your ISP, or NATing the traffic to an address given to you by the partner.

Eric

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael K. Smith - Adhost
Sent: Monday, August 31, 2009 2:10 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ASA - presenting a NAT'd address to a VPN tunnel

Hello All:

I will be configuring an ASA where the remote-end requirement is that the address presented to them is a globally unique (non-RFC 1918) address.  I *think* this means I have to double NAT.  So, instead of having the 192.168.x.x address presented over the tunnel, it has to be a "real" address.

Has anyone ever configured something like this on an ASA?  I've always used the inside addresses for interesting traffic in the ACL.  Can I use the static, outside address in the tunnel?

Regards,

Mike

--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC
mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)



More information about the cisco-nsp mailing list