Outside address for L2L

Unanswered Question
Sep 24th, 2008


Im trying to setup a L2L VPN between 2 ASA.

ASA at site A has a public IP address.

At site B, instead, the ISP router forwards all the incoming traffic for a pool of public IP addresses to a group of private addresses configured on the ASA.

I wish to use one of these IP addresses for a L2L VPN between the 2 sites.

The doubt i have is which IP address should i specify for the tunnel.

So far i used a private IP address as L2L peer, however apparently it doesn't work.

Does anybody can give me some feedback about the config?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 09/24/2008 - 07:47

In site A, you definitely need to use the public ip address that the router is natting the Site B ASA to. If you don't have one you could use the public ip of the router and forward to the outside of ASA.

crypto map OUTSIDE 20 set peer

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

Option 2 would be to create a dynamic tunnel where no peer address is specified in Site A ASA. In this case you would do this...

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

Carlo Zaina Thu, 09/25/2008 - 06:49

If i have understood:

- at site-A is necessary

nat (inside) 0 access-list #interesting traffic to site B#

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

no global (outside) statement? or do i need a global statement in order to have private network traffic traversing the public network?

at site B:

same question, except i will use tunnel-group with the public ip address.

Furthermore: should i use the ip address of outside interface or for the tunnel peer?

I mean: site A has ip 82.x.y.z on the outside, however the hosts are natted to 82.x.y.w.


This Discussion