NATing over Site-to-Site

Unanswered Question

theis is my VPN Site-to-Site:

myServer->myASA5505<----->otherASA<-otherServer

phase 1 work, phase 2 fail because otherASA expect my traffic to use myASA5505's IP and it is using myServer's IP

so here is the question:

How do I NAT myServer to go out myASA5505 using's the ASA outside interface address?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 12/03/2008 - 09:00

Ofir

Your crypto mpa access-list needs to use the Natted IP of your server and not the real IP eg.

remote network = 172.16.5.0/24

server real address =- 192.168.5.1

ASA outside interface = 195.177.12.1

access-list vpntraffic permit ip host 195.177.12.1 172.16.5.0 255.255.255.0

the above is what your crypto access-list should look like. At the remote end it should be

access-list vpntraffic permit ip 172.16.5.0 255.255.255.0 host 195.177.12.1

Jon

Jon Marshall Wed, 12/03/2008 - 09:35

"remote network is /32 - does it change anything (other then the mask)?"

No mine was just an example, change to fit your scenario.

"when you refer to server real address that is myServer or the other side?"

Your server that you are Natting.

Jon

Actions

This Discussion