×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Tunnel some trafic (public host) from a remote site through a site-to-site vpn

Unanswered Question
Feb 6th, 2012
User Badges:

Hello


I tried, but I did not find solution to my problem.


On remote site I have Cisco ASA 5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel.


Cisco ASA 5505 on remote site :


Outside interface - ISP Internet

Inside interface - 10.110.17.1 (local lan. 10.110.17.0/24)


Central site :


FastEthernet0/0 - 10.110.0.1 (local lan 10.110.0.0/24)

FastEthernet0/1- ISP Internet


Cisco ASA configuration :


object-group network DM_INLINE_NETWORK_1
network-object 10.110.0.0 255.255.255.0
network-object host public_host_IP


access-list outside_1_cryptomap extended permit ip 10.110.17.0 255.255.255.0 object-group DM_INLINE_NETWORK_1


access-list inside_nat0_outbound_1 extended permit ip 10.110.17.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.110.17.0 255.255.255.0 host public_host_IP


global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 101 0.0.0.0 0.0.0.0

access-group 121 in interface inside

route outside 0.0.0.0 0.0.0.0 ISP_gateway_IP 1


Central site :


access-list 119 remark IPSec Rule

access-list 119 permit ip 10.110.0.0 0.0.0.255 10.110.17.0 0.0.0.255

access-list 119 permit ip host public_host_IP 10.110.17.0 0.0.0.255


map SDM_CMAP_1 x ipsec-isakmp

set peer Remote_Site_Public_IP

...

match address 119


interface FastEthernet0/0

ip address 10.110.0.1 255.255.255.0

ip access-group 121 in

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

no mop enabled

!

interface FastEthernet0/1

  ip address Public_IP

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

no mop enabled

crypto map SDM_CMAP_1


route-map SDM_RMAP_1 permit 1

match ip address 101


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload


route-map SDM_RMAP_1 permit 1
match ip address 101


access-list 101 deny   ip 10.110.0.0 0.0.0.255 10.110.17.0 0.0.0.255

access-list 101 permit ip 10.110.0.0 0.0.0.255 any



Ping from 10.110.17.0 subnet on ASA :


6Feb 06 201206:25:5930202066.39.41.110.110.17.11Built outbound ICMP connection for faddr public_host_IP/0 gaddr 10.110.17.11/512 laddr 10.110.17.11/512


6Feb 06 201206:26:4730202166.39.41.110.110.17.11Teardown ICMP connection for faddr public_host_IP/0 gaddr 10.110.17.11/512 laddr 10.110.17.11/512


Any help is welcome and sorry for my english !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Mon, 02/06/2012 - 10:19
User Badges:
  • Purple, 4500 points or more

Hello,


1- On the Crypto and NO nat configuration you do not need to match the traffic to the public ip address of the remote site.

2-Can you share the full crypto configuration ( isakamp,transform-set,crypto-map and tunnel group)of both sites ( of course you can hide the crypto key),


Regards,

Actions

This Discussion