Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
967
Views
10
Helpful
12
Replies

Remote tunnel to Site-to-Site VPN

Go to solution
hai_nit2
Level 1
Level 1

‎10-15-2008 01:28 AM

Hi,

I am facing one problem with my remote VPN users ,I am describing my network here . I have one site to site tunnel for my USA client, tht IP is 169.X.X.X . from office we are able to connect that tunnel. now I configured remote vpn for my home users, my office inside ip is 192.168.2.X and once I connect from home to office thru cisco vpn client then my ip is 192.168.3.X which I set IP pool in ASA , now 192.168.3.X and 192.168.2.X is communicating properly, but I need to access my Tunnel IP 169.1.X.X also from 192.168.3.X(Home).

203.92.X.X is my static public Ip which is permitted in the client side for the tunnel.

If anything confussing please let me know .

Thanks,

Nitin

Labels:
Preview file
39 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
singhsaju
Level 4
Level 4
In response to hai_nit2

‎10-16-2008 08:17 AM

Nitin,

It is not possible to have NATing on 192.168.3.0/24 to public ip because there is default route(by which you can reach L2L remote host) on the ASA pointing to outside interface . That default route will redirect/route the vpn client traffic on the outside interface only so NATing is going happen here.

HTH

Saju

View solution in original post

0 Helpful
12 Replies 12

Go to solution
andrew.prince
Level 10
Level 10

‎10-15-2008 01:41 AM

Add:-

same-security-traffic permit intra-interface

HTH>

Go to solution
hai_nit2
Level 1
Level 1
In response to andrew.prince

‎10-15-2008 05:54 AM

this command is alredy in my config ...

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to hai_nit2

‎10-15-2008 05:58 AM

You need to do 2 things;-

1) Make sure that from your side the 192.168.2 & .3/24 are in the encryption domains for the VPN connection.

2) Then you need to make sure at the 169.x.x.x end, the encryption domain also includes 192.168.3.0/24 otherwise how does it know to encrypt/decrypt it?

HTH>

0 Helpful

Go to solution
singhsaju
Level 4
Level 4
In response to hai_nit2

‎10-15-2008 06:15 AM

Hello Nitin,

you are missing following access-list statements :

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 169.14.1.0 255.255.255.0

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.10.1.1

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.11.2.1

Also you would need mirror image of these staements on the remote VPN L2L devices.

HTH

Saju

Pls rate helpful posts

0 Helpful

Go to solution
singhsaju
Level 4
Level 4
In response to hai_nit2

‎10-15-2008 06:15 AM

Hello Nitin,

you are missing following access-list statements :

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 169.14.1.0 255.255.255.0

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.10.1.1

access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.11.2.1

Also you would need mirror image of these staements on the remote VPN L2L devices.

HTH

Saju

Pls rate helpful posts

0 Helpful

Go to solution
hai_nit2
Level 1
Level 1
In response to singhsaju

‎10-16-2008 02:02 AM

Thanks again Saju and Andrew,

but I have one confussion there that my tunnel traffic is going thru my public ip 203.92.A.B . client side people dosn't know about my internal IP 192.168.2.X/24...

they only open my Public IP for tunnel.

so my question is, in that case also we need to add my 192.168.3.0/24 subnet to their end?????

brif in my office tunnel network

** access-list A_Tunnel extended permit ip host 203.92.A.B 169.14.1.0 255.255.255.0

** access-list outside_20_cryptomap extended permit ip 192.168.2.80 255.255.255.240 169.14.1.0 255.255.255.0 (only our side I added)

** nat (inside) 20 access-list outside_20_cryptomap

** global (outside) 20 203.92.A.B netmask 255.255.255.255

** crypto map outside_map 20 match address A_Tunnel

** crypto map outside_map 20 set peer 192.28.8.101

** crypto map outside_map 20 set transform-set ESP-3DES-MD5

please let me know if thr ny confussion.

Saju ,I also added ur above mentioned A_tunnel access list . but still same ..any how I created A_tunnel only for outside IP (203.92.A.B)

Thank you again for giving me time.

Nitin

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to hai_nit2

‎10-16-2008 02:22 AM

Nitin,

Yes - they will see your public IP address as the VPN termination end point. They need to know on their side what IP addressing they need to accept to allow the connection to fully form.

The above config is so wrong it will never work, it should be:-

** crypto map outside_map 20 match address outside_20_cryptomap

** crypto map outside_map 20 set peer <>

** crypto map outside_map 20 set transform-set ESP-3DES-MD5

You have incorrect NAT statements, change to:-

access-list no-nat extended permit ip 192.168.2.80 255.255.255.240 169.14.1.0 255.255.255.0

nat (inside) 0 access-list no-nat

0 Helpful

Go to solution
hai_nit2
Level 1
Level 1
In response to andrew.prince

‎10-16-2008 05:56 AM

Andrew,

no-nat is not working for our tunnel , b'z of my all traffic going thru a_tunnel(Public) IP . I tried also ur above config but nothing positive result. :-(

0 Helpful

Go to solution
singhsaju
Level 4
Level 4
In response to hai_nit2

‎10-16-2008 06:19 AM

Nitin,

From your crypto ACLs , you are allowing ipsec traffic to be Nat'ed first then it goes into the vpn tunnel. So you may not need Nat 0 .

But as for the traffic from VPN client the traffic will be routed on the outside interface , it will not be NATed to outside public ip address , thats why i was suggesting to include vpn pool ip address (192.168.3.0/24)as source address in the Crypto ACL "Tunnel_A" , that is how you can take vpn pool traffic to remote site.

HTH

Saju

Go to solution
hai_nit2
Level 1
Level 1
In response to singhsaju

‎10-16-2008 07:51 AM

yes Saju Now I understand the problem ,why its not happening.so if I add 192.168.3.x /24 in tunnel_A acl . then also client have to add my same (192.168.3.0/24 )IP in there end .then only it will work .

Thanks for your Support .

but is there any option that our remote IP will be natted with my Public IP and then it will go to tunnel because they permitted our 10 public Ip there end and we are using only 2.....then will no need to talk wid client .but if no others way then definetlly will do the same.

Thanks,

Nitin

0 Helpful

Go to solution
singhsaju
Level 4
Level 4
In response to hai_nit2

‎10-16-2008 08:17 AM

Nitin,

It is not possible to have NATing on 192.168.3.0/24 to public ip because there is default route(by which you can reach L2L remote host) on the ASA pointing to outside interface . That default route will redirect/route the vpn client traffic on the outside interface only so NATing is going happen here.

HTH

Saju

0 Helpful

Go to solution
hai_nit2
Level 1
Level 1
In response to singhsaju

‎10-16-2008 09:43 PM

Hi,

Saju and Andrew thanks for your Support.

now I have cleared my problem and do the same which you mentioned above mails.

Thanks,

Nitin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents