I need some help on configuring a VPN tunnel between 2 customer sites.
site1: 192.168.10.0 /24
site2: 10.10.14.0 /24
hosting network: 172.23.0.0 /24
Site1 has an MPLS connection to some hosting provider, which goes through a router that is on their 192.168.10.0 /24 subnet. The hosting provider will only allow IP adresses from the 192.168.10.0 /24 network to go through the MPLS to their hosting network.
However the situation now is, that we need Site2 to also be able to access the hosting network.
I need to configure a VPN tunnel from Site2 to Site1 with some kind of static NAT, that will allow Site2 to access the hosting network through the MPLS. Therefore the Site2 IP addresses (just a few) need to be translated in the VPN tunnel to some IP adresses that is available on Site1's subnet (192.168.10.0 /24).
The issue is of course that all has to handled at layer 2 on site1.
Site2 (the few hosts) still have to be able to communicate with devices on Site1 and Site1 still have to be able to communicate with the few hosts on Site2.
I have accomplished some of this, as I am now able to communicate from a single host on site2 (10.10.14.102 - NAT'ed 192.168.10.240) to the hosts on site1. However traffic initiated from Site1 to the host on Site2 (192.168.10.240 - real 10.10.14.102) does not work.
I really hope someone can help me with this. I have pasted the relevant configuration from both ASA's that have gotten me so far.
access-list INSIDE_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.240
access-list RA_VPNNAT extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.240
static (INSIDE,INSIDE) 192.168.10.240 192.168.10.240 netmask 255.255.255.255
crypto map OUTSIDE_map 5 match address RA_VPNNAT
crypto map OUTSIDE_map 5 set pfs group5
crypto map OUTSIDE_map 5 set peer x.x.x.x
crypto map OUTSIDE_map 5 set transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 5 set security-association lifetime seconds 28800
crypto map OUTSIDE_map 5 set security-association lifetime kilobytes 4608000
access-list VPNTEST extended permit ip host 192.168.10.240 192.168.10.0 255.255.255.0
access-list PNAT_1 extended permit ip host 10.10.14.102 192.168.10.0 255.255.255.0
static (inside,outside) 192.168.10.240 access-list PNAT_1
crypto map outside_map 9 match address VPNTEST
crypto map outside_map 9 set pfs group5
crypto map outside_map 9 set peer x.x.x.x
crypto map outside_map 9 set transform-set ESP-AES-256-SHA
crypto map outside_map 9 set security-association lifetime seconds 28800
crypto map outside_map 9 set security-association lifetime kilobytes 4608000