VPN access list using public IP's

ribin.jones · ‎09-30-2010

Hi,

I have two sites, say A and B. I need to do VPN between between these two sites.

In Site A LAN, we have a server which is NATed to a public IP. In site B, we have another server which is also NATed to a public IP. I need to permit these public IP's in the VPN ACL. We have an ASA in site A and Cisco 2801 router in site B.

In site A where we have the ISA, I didn't give the NAT exemption rule and I could bring up the VPN from site A. But I am not able to bring up the tunnel from site B.

Site A's vpn acl

access-list outside_cryptomap_1 extended permit ip host a.b.c.d host p.q.r.s

Site B acl

permit ip host p.q.r.s host a.b.c.d

where a.b.c.d is the public IP to which we have NATed the server in Site A

and p.q.r.s is the public IP to which we have NATed the other server in Site B

I seem to be missing something in site B. the reason I say this is, I don;t see any hits in "permit ip host p.q.r.s host a.b.c.d" acl in site B when I try to ping a.b.c.d from the server p.q.r.s. This server is located in a LAN with private IP which is NATed in the router.

Please let me know if you need more explanation on my scenario. Any help greatly appreciated.

Thanks,

Ribin Jones S.B

apsanghi · ‎09-30-2010

Hi Ribin,

Since the tunnel is coming up when you initiate a tunnel from Site A, it does not seem to be an issue with the crypto configuration.It probably seems to be an issue with routing or NATing at Site B because of which there are no hits on the ACL.

When you bring up the tunnel from Site A, are you able to access the p.q.r.s from a.b.c.d ?

Could you also attach the config and the "show ip route" output from the router at site B.

Also, could you please confirm that the traffic (from server p.q.r.s to a.b.c.d) is reaching the router at Site B. This is to eliminate any routing issues in the internal network at site B.

ribin.jones · ‎09-30-2010

Yes, the issue is not with the VPN configuration. It has something to do with NAT or routing.

I am you able to access the p.q.r.s from a.b.c.dand I could see hits in Site B router vpn acl.

RMPA-R-001_2801#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is yy.yy.yy.yy (my ISP gateay IP) to network 0.0.0.0

S    192.168.45.0/24 [1/0] via 192.168.6.1
S    192.168.42.0/24 [1/0] via 192.168.6.1
S    192.168.40.0/24 [1/0] via 192.168.6.1
S    192.168.41.0/24 [1/0] via 192.168.6.1
S    192.168.5.0/24 is directly connected, FastEthernet0/0
     192.168.6.0/24 is variably subnetted, 3 subnets, 2 masks
S       192.168.6.0/32 [1/0] via 192.168.6.1
C       192.168.6.0/24 is directly connected, FastEthernet0/0
S       192.168.6.20/32 [1/0] via 192.168.6.1
     p.0.0.0/28 is subnetted, 1 subnets
C       xx.xx.xx.xx is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via yy.yy.yy.yy (my ISP gateay IP)

Below is the NAt rules in the router config:

ip nat pool isp_nat_pool netmask 255.255.255.248
ip nat inside source route-map isp pool reliance_nat_pool overload

ip nat inside source static 192.168.42.25 p.q.r.s

where 192.168.42.25 is the internal IP if the server

- Ribin