12-12-2007 02:40 AM - edited 03-11-2019 04:42 AM
Hi all,
I have a question regarding IPSec site to site VPN.
There is an internal network, say 10.1.1.0/24 which NATs to global address 5.5.5.5 on the Outside interface. The remote network is 20.20.20.0/24
I want to NAT to the global address then send that over the tunnel.
Should the crypto map statement map the inside network 10.1.1.0/24 to the remote network 20.20.20.0/24 or should it map from the global NAT address 5.5.5.5?
Hope this is clear, thanks for any replies!
12-12-2007 02:47 AM
Cryptomap should include the global address (NATed), not inside network in your case
access-list outside_100_cryptomap permit ip host 5.5.5.5 20.20.20.0 255.255.255.0
12-12-2007 03:22 AM
Hi George
Feel free to ask dependent questions. For example how do you plan Conditional exempt NAT?
Regards
12-12-2007 03:49 AM
Thanks :)
So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel?
Regarding the NAT - I already have exemptions specified from the internal network to the other internal address spaces through a NAT 0 access list if thats what you mean?
12-12-2007 05:02 AM
My typo, I didnt mean exempt. Here is what I mean
You have a nat statement like following
nat (inside) 1 0 0
global (outside) 1 interface
or
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 interface
Above statements wont let you NAT 10.1.1.0/24 to a 5.5.5.5 outside IP. You should have the following
access-list CNat permit ip 10.1.1.0 255.255.255.0 20.20.20.0 255.255.255.0
nat (inside) 1 access-list CNat
nat (inside) 2 0 0
global (outside) 1 5.5.5.5 255.255.255.255
global (outside) 2 interface
access-list outside_100_cryptomap permit ip host 5.5.5.5 20.20.20.0 255.255.255.0
Make sure the statements in CNat and outside_100_cryptomap do not exist in your nat exempt rule
"So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel"
No. Your outside interface was peer for tunnel and still is. Your ASA outside to remote ASA outside. You should enable same security interface traffic, If you want to permit traffic from a VPN site, ends at outside interface, to a VPN site again which also ends at outside interface.
Regards
12-12-2007 07:58 AM
Thanks for your detailed reply, much appreciated.
I'm still not quite there, 10.1.1.0/24 doesn't NAT to 5.5.5.5 I think it just routes directly down the tunnel. This is the config I have currently:
access-list outside_cryptomap_20_1 permit ip host 5.5.5.5 20.20.20.0 255.255.255.0
access-list outside_nat0_inbound permit ip host 5.5.5.5 20.20.20.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 6 10.1.1.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_inbound outside
global (outside) 6 5.5.5.5
In which access-list do I need to permit 10.1.1.0/24 20.20.20.0/24, or is an additional access-list required?
12-13-2007 10:25 AM
I am also in the same boat. I need to setup a site-to-site VPN connection to a vendor. Because of some addressing conflicts I need to both the hosts that reside on my network and the hosts on the remote side. Is this something that is doable or should I have the vendor do part of the natting.
12-14-2007 08:23 AM
I found two great docs on this from cisco's site. Finally got my stuff working.
and
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
12-14-2007 11:26 AM
Hi Paul
Just leave a post if you need assistance
Regards
12-14-2007 11:23 AM
George please post your running config
nat (inside) 6 10.1.1.0 255.255.255.0
global (outside) 6 5.5.5.5
This config may prevent your internet access. So please post your config and let me advise
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: