ASA Site to Site IPSec VPN question

Unanswered Question
Dec 12th, 2007

Hi all,

I have a question regarding IPSec site to site VPN.

There is an internal network, say which NATs to global address on the Outside interface. The remote network is

I want to NAT to the global address then send that over the tunnel.

Should the crypto map statement map the inside network to the remote network or should it map from the global NAT address

Hope this is clear, thanks for any replies!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
husycisco Wed, 12/12/2007 - 02:47

Cryptomap should include the global address (NATed), not inside network in your case

access-list outside_100_cryptomap permit ip host

husycisco Wed, 12/12/2007 - 03:22

Hi George

Feel free to ask dependent questions. For example how do you plan Conditional exempt NAT?


george_daly Wed, 12/12/2007 - 03:49

Thanks :)

So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel?

Regarding the NAT - I already have exemptions specified from the internal network to the other internal address spaces through a NAT 0 access list if thats what you mean?

husycisco Wed, 12/12/2007 - 05:02

My typo, I didnt mean exempt. Here is what I mean

You have a nat statement like following

nat (inside) 1 0 0

global (outside) 1 interface


nat (inside) 1

global (outside) 1 interface

Above statements wont let you NAT to a outside IP. You should have the following

access-list CNat permit ip

nat (inside) 1 access-list CNat

nat (inside) 2 0 0

global (outside) 1

global (outside) 2 interface

access-list outside_100_cryptomap permit ip host

Make sure the statements in CNat and outside_100_cryptomap do not exist in your nat exempt rule

"So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel"

No. Your outside interface was peer for tunnel and still is. Your ASA outside to remote ASA outside. You should enable same security interface traffic, If you want to permit traffic from a VPN site, ends at outside interface, to a VPN site again which also ends at outside interface.


george_daly Wed, 12/12/2007 - 07:58

Thanks for your detailed reply, much appreciated.

I'm still not quite there, doesn't NAT to I think it just routes directly down the tunnel. This is the config I have currently:

access-list outside_cryptomap_20_1 permit ip host

access-list outside_nat0_inbound permit ip host

nat (inside) 0 access-list NONAT

nat (inside) 6

nat (outside) 0 access-list outside_nat0_inbound outside

global (outside) 6

In which access-list do I need to permit, or is an additional access-list required?

pvaysberg Thu, 12/13/2007 - 10:25

I am also in the same boat. I need to setup a site-to-site VPN connection to a vendor. Because of some addressing conflicts I need to both the hosts that reside on my network and the hosts on the remote side. Is this something that is doable or should I have the vendor do part of the natting.

husycisco Fri, 12/14/2007 - 11:23

George please post your running config

nat (inside) 6

global (outside) 6

This config may prevent your internet access. So please post your config and let me advise


This Discussion