Policy Nat VPN question

Unanswered Question
Aug 28th, 2009

I have a VPN tunnel with the following configuration:

access-list DMZ_nat_static extended permit ip host [actual DMZ IP] host [Remote IP]

access-list Outside_3_cryptomap extended permit ip host [one of my outside IP's] host [Remote IP]

static (DMZ,Outside) [one of my outside IP's] access-list DMZ_nat_static

crypto map Outside_map 3 match address Outside_3_cryptomap

crypto map Outside_map 3 set peer REMOTE GATEWAY IP

crypto map Outside_map 3 set transform-set ESP-3DES-MD5

tunnel-group REMOTE GATEWAY IP type ipsec-l2l

tunnel-group REMOTE GATEWAY IP ipsec-attributes

pre-shared-key *

I have the tunnel created but the remote user cannot connect to my host at the [one of my outside IP's]. So I guess my question is whether this should be working or am I missing something? I am wondering if the NAT that I have is one way or is it both?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
julomban Fri, 08/28/2009 - 07:28


I am wondering why you are using a static for the VPN tunnel, it would be better if you create a NAT 0 from your local network going to the remote location. Example:

access-list VPN_NAT_0 permit ip host [actual DMZ host] host [remote IP]

nat (DMZ) 0 access-list VPN_NAT_0

Just take out the static and add the above commands, the access list is exactly the same as the one for the crypto map or should be like that.

I hope it helps


This Discussion