Thanks ,

So i have to configure like below:-

Note ip:   Site B-10.x.x.x    SIte A 196.x.x.x  Site C 10.x.x.x

Between site B and site c                                    

access-list nonat extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

I have the congiuration As mention for Site to SIte Vpn between Site A and site C.

Now if i want to use Public Ip For site A

Then configuration on site B should be as:-

access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 196.x.x.x 255.255.255.0

Am i correct on above configuration

Regards,

Prashant

"access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 196.x.x.x 255.255.255.0"

Yes ACL looks fine, please make sure, mask on the 196 public address and its network address.

You also want to use different name on the ACL as "outside_3_cryptomap" instead of "outside_2_cryptomap"

Thanks

Thanks for reply

i will take of crypomap access list name as well as public ip range.

Regards,

Prashant

Hi,

Below is the my final configuration using ASDM

Any modification required

crypto isakmp enable outside1

      asdm location 10.x.x.0 255.255.255.0 inside

      asdm location 182.x.x.x 255.255.255.240 inside

access-list outside1_1_cryptomap line 1 extended permit ip 10.x.x.0 255.255.255.0 182.x.x.x 255.255.255.240

access-list inside_nat0_outbound line 1 extended permit ip 10.x.x.0 255.255.255.0 182.x.x.x 255.255.255.240- removed

    tunnel-group 182.x.x.x type ipsec-l2l

    tunnel-group 182.x.x.x ipsec-attributes

    pre-shared-key ***********

        isakmp keepalive threshold 10 retry 2

    crypto isakmp policy 10 authen pre-share

        crypto isakmp policy 10 encrypt 3des

        crypto isakmp policy 10 hash sha

        crypto isakmp policy 10 group 2

        crypto isakmp policy 10 lifetime 86400

        crypto ipsec transform-set ctrls esp-3des esp-sha-hmac

    crypto map outside1_map 1 match address outside1_1_cryptomap

    crypto map outside1_map 1 set  peer  182.x.x.x

        crypto map outside1_map 1 set  transform-set  ctrls

        crypto map outside1_map interface  outside1

     nat (inside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0 -----removed

Regards,

Prashant

Try without no nat.

you do not need this line: nat (inside) 0 access-list inside_nat0_outbound

It should work

thanks

Hi,

My senario is changed a little bit

Now senario is as

SIte A And SIte B already has a tunnel with private ip.

Now Site A want to configure a new Site to Site Vpn with SIte C(Public ip) with Nating of private LAN range to Public ip RANGE.

SO Is there is any problem in exsing site to site VPN with No NAT

lets take a example

Existing VPN b/w Site A and Site B

access-list nonat extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

Now i want to NAT Same lan range with public ip and want to use that Public ip range in Site to site VPN with SIte C

Please Help me....

You need a policy nat.

STEP 1:

access−list policy−nat-acl extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

Identify interesting traffic as source and destination needed to be natted on above ACL.

-------------------------------------------------------------

STEP 2:

static (inside,outside) xxx.xxx.xxx.xxx access−list policy−nat-acl

Now static-nat your source-private to pbulic address in the "xxx.xxx.xxx.xxx" use the public ip range as you wish.

-------------------------------------------------------------

STEP3:

access−list outside_4_cryptomap extended permit ip xxx.xxx.xxx.xxx mask.mask.mask.mask 172.x.0.0 255.255.0.0

in the crypto-acl above you could use network address itself plus its mask or an IP address along but be consistance with step 2, the remainging config is just like regular vpn tunnel setup.

Thanks

Rizwan Rafeek