Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP Sec Tunnel Issue

Hello Experts,

We have Cisco ASA 5505 (OS version 8.2.1) using for Production Site and working fine w/o any problem. One of the Services Server on which the private IP is configured and natted with public IP address configured on ASA Firewall. There are few ports are opened for incoming traffic on outside interface for Services Server which seems to have working fine.

Now we need to estlablish IP Sec VPN Tunnel with Vendor for the Services Server and for that phase-1 negotiation has been completed but there is something new configuration required in which we need to allow the interesting traffic based on public rather than private which basically we do while creating VPN Tunnels between two sites. The tunnel is created between two sites and its active. Our Outside Peer IP Address is and vendor IP Address is and they are using Netsreen Firewall. Basically for allowing the traffic we use the private subnet/IP address and send their traffic over the tunnel like IP)------ Interface IP of ASA)-----------encryted Tunnel--------- Peer IP). Now the problem is Vendor is using public IP ( in their configuration for our services server instead of But according to me we can allow the local subnet/IP in interesting traffic over the tunnel.

Can anyone help me if we can allow the public IP in our configuration as they are using Public IP address for their Services Server ( I dont know what configuration needs to be done so that both server to be communicated with each other. The scenario we want i.e. (Services Server Public IP)------ (Vendor Services Server).


Vinay Gupta

New Member

Re: IP Sec Tunnel Issue

Hello Vinay,

          We have many similar examples in our business. We are establishing PUBLIC IP TO PUBLIC IP tunnels beetween systems, even though our servers have local ip address on their NIC. The main point is, NAT is performed before IPSEC. To use PUBLIC IP addreses for IPSEC tunnel,

1 - You should replace server local ip address with server public ip address on IPSEC ACCESS-LIST.

(access-list TUNNEL extended permit ip host host line)

2 - Define/keep ONE-TO-ONE address mapping for your SERVICES SERVER.

(static (inside,outside) (figurative line)

3 - Opposite ACLs must be created on VENDOR site.

4 - Remove NAT exemption rule for local to local IPSEC tunnel.

After this steps from VENDOR site, they can use your SERVICES SERVER public ip to connect it.

Best Regards,

Ufuk Guler