10-15-2008 01:28 AM
Hi,
I am facing one problem with my remote VPN users ,I am describing my network here . I have one site to site tunnel for my USA client, tht IP is 169.X.X.X . from office we are able to connect that tunnel. now I configured remote vpn for my home users, my office inside ip is 192.168.2.X and once I connect from home to office thru cisco vpn client then my ip is 192.168.3.X which I set IP pool in ASA , now 192.168.3.X and 192.168.2.X is communicating properly, but I need to access my Tunnel IP 169.1.X.X also from 192.168.3.X(Home).
203.92.X.X is my static public Ip which is permitted in the client side for the tunnel.
If anything confussing please let me know .
Thanks,
Nitin
Solved! Go to Solution.
10-16-2008 08:17 AM
Nitin,
It is not possible to have NATing on 192.168.3.0/24 to public ip because there is default route(by which you can reach L2L remote host) on the ASA pointing to outside interface . That default route will redirect/route the vpn client traffic on the outside interface only so NATing is going happen here.
HTH
Saju
10-15-2008 01:41 AM
Add:-
same-security-traffic permit intra-interface
HTH>
10-15-2008 05:54 AM
this command is alredy in my config ...
10-15-2008 05:58 AM
You need to do 2 things;-
1) Make sure that from your side the 192.168.2 & .3/24 are in the encryption domains for the VPN connection.
2) Then you need to make sure at the 169.x.x.x end, the encryption domain also includes 192.168.3.0/24 otherwise how does it know to encrypt/decrypt it?
HTH>
10-15-2008 06:15 AM
Hello Nitin,
you are missing following access-list statements :
access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 169.14.1.0 255.255.255.0
access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.10.1.1
access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.11.2.1
Also you would need mirror image of these staements on the remote VPN L2L devices.
HTH
Saju
Pls rate helpful posts
10-15-2008 06:15 AM
Hello Nitin,
you are missing following access-list statements :
access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 169.14.1.0 255.255.255.0
access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.10.1.1
access-list A_Tunnel extended permit ip 192.168.3.0 255.255.255.0 host 169.11.2.1
Also you would need mirror image of these staements on the remote VPN L2L devices.
HTH
Saju
Pls rate helpful posts
10-16-2008 02:02 AM
Thanks again Saju and Andrew,
but I have one confussion there that my tunnel traffic is going thru my public ip 203.92.A.B . client side people dosn't know about my internal IP 192.168.2.X/24...
they only open my Public IP for tunnel.
so my question is, in that case also we need to add my 192.168.3.0/24 subnet to their end?????
brif in my office tunnel network
** access-list A_Tunnel extended permit ip host 203.92.A.B 169.14.1.0 255.255.255.0
** access-list outside_20_cryptomap extended permit ip 192.168.2.80 255.255.255.240 169.14.1.0 255.255.255.0 (only our side I added)
** nat (inside) 20 access-list outside_20_cryptomap
** global (outside) 20 203.92.A.B netmask 255.255.255.255
** crypto map outside_map 20 match address A_Tunnel
** crypto map outside_map 20 set peer 192.28.8.101
** crypto map outside_map 20 set transform-set ESP-3DES-MD5
please let me know if thr ny confussion.
Saju ,I also added ur above mentioned A_tunnel access list . but still same ..any how I created A_tunnel only for outside IP (203.92.A.B)
Thank you again for giving me time.
Nitin
10-16-2008 02:22 AM
Nitin,
Yes - they will see your public IP address as the VPN termination end point. They need to know on their side what IP addressing they need to accept to allow the connection to fully form.
The above config is so wrong it will never work, it should be:-
** crypto map outside_map 20 match address outside_20_cryptomap
** crypto map outside_map 20 set peer <
** crypto map outside_map 20 set transform-set ESP-3DES-MD5
You have incorrect NAT statements, change to:-
access-list no-nat extended permit ip 192.168.2.80 255.255.255.240 169.14.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
10-16-2008 05:56 AM
Andrew,
no-nat is not working for our tunnel , b'z of my all traffic going thru a_tunnel(Public) IP . I tried also ur above config but nothing positive result. :-(
10-16-2008 06:19 AM
Nitin,
From your crypto ACLs , you are allowing ipsec traffic to be Nat'ed first then it goes into the vpn tunnel. So you may not need Nat 0 .
But as for the traffic from VPN client the traffic will be routed on the outside interface , it will not be NATed to outside public ip address , thats why i was suggesting to include vpn pool ip address (192.168.3.0/24)as source address in the Crypto ACL "Tunnel_A" , that is how you can take vpn pool traffic to remote site.
HTH
Saju
10-16-2008 07:51 AM
yes Saju Now I understand the problem ,why its not happening.so if I add 192.168.3.x /24 in tunnel_A acl . then also client have to add my same (192.168.3.0/24 )IP in there end .then only it will work .
Thanks for your Support .
but is there any option that our remote IP will be natted with my Public IP and then it will go to tunnel because they permitted our 10 public Ip there end and we are using only 2.....then will no need to talk wid client .but if no others way then definetlly will do the same.
Thanks,
Nitin
10-16-2008 08:17 AM
Nitin,
It is not possible to have NATing on 192.168.3.0/24 to public ip because there is default route(by which you can reach L2L remote host) on the ASA pointing to outside interface . That default route will redirect/route the vpn client traffic on the outside interface only so NATing is going happen here.
HTH
Saju
10-16-2008 09:43 PM
Hi,
Saju and Andrew thanks for your Support.
now I have cleared my problem and do the same which you mentioned above mails.
Thanks,
Nitin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide