Site to site VPN NAT?

mattrgeemattrgee Member Posts: 201
Hi all,

We are going to configure a site to site VPN between our company and some of our critical suppliers. This is mainly for support purposes.

Is it best practive to NAT their traffic as it enters our network? If not, it seems odd to allow traffic from various IP ranges to pass around our network. This is assuming non of their native ip ranges overlap.

We will also need to add some routes to direct the return traffic back to the ASA. I suspect without NAT'ing we'll end up various routes for various subnets all pointing back to the inside address of the ASA. This seems messy.

Any suggestions?



  • mikearamamikearama Member Posts: 749
    If you want to avoid the addition of the extra routes, then go with a NAT/PAT solution. Make it a unique PAT, ie, one per vendor, so you can still lock-down their access. We, early on, made the mistake of giving all our vendors the same PAT'ted IP, and then when one needed a port opened, they all got it.

    Conversely, thinking about our vendors, they all use completely different addressing schemes than we do. It wouldn't have been a big job to add a class B route to our core routers for the few vendors we have.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • mattrgeemattrgee Member Posts: 201
    Thanks a lot. That sounds very sensible.
Sign In or Register to comment.