Site-to-Site tunnel with external IPs

qbakies11 · ‎06-05-2008

I am trying to establish a site-to-site VPN tunnel with a customer that is using a 3000 series concentrator. The problem is that our internal LAN IP subnets overlap so they want me to use our public IPs to establish the tunnel.

I have three internal servers that need to use this tunnel and they are in the 192.168.16.0/24 subnet. I have the server IPs mapping to external IPs with a NAT list on the ASA so each server has a unique IP in the world. The customer has configured their security to only allow traffic from these external IPs.

On the ASA I used the site-to-site VPN wizard to configure the tunnel and tripled checked all of the configuration information to make sure it was the same on both ends. When we try to connect nothing happens.

If I change the protected local network to my internal IP of 192.168.16.x and try to connect the customer gets an error on their end stating that there was a network mismatch and the connection was terminated. When I change the protected network back to the static external IP and try to connect nothing happens.

I am lost on this and would appreciate any help.

Jon Marshall · ‎06-05-2008

If you are natting the server IP addresses then your crypto map access-list must use the Natted public addresses and not the original 192.168.16.x addresses.

The fact that nothing is happening suggests that the ASA does recognise the traffic needs encrypting.

Jon

cisco24x7 · ‎06-05-2008

It is very important to note that since both

sides have OVERLAP IP addresses scheme,

for this to work, BOTH SIDES have to NAT.

In other words, double-NAT is needed.

You NATted on your side, that is step one.

192.168.16.x = 1.1.1.x

The other side also needs to NAT as well.

Otherwise, how do you expect the thing to

work?

This question has been asked many times.

Check some of my previous posts and you will

find the solution.