Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site To site Vpn Site A(public ip) Site B(Private ip)

Hi,

i want to configure site to site as

Site A want to use public ip range in interesting traffic

site B want to use private ip range in interesting traffic

site A range   196.x.x.x/255.255.255.0

Site B range 172.16.4.0/255.255.252.0

Note site B also has a site to site tunnel with another client(SIte c)

SIte B and Site C has private ip in vpn.

Please clear my doubt.

SIteA(196.x.x.x./24)............>Site B(172.16.x.x/16)

                                              \\------------------------------------>Site C(10.10.x.x/16)

                                                  No nat

currently i am using no nat b/w site B and site c

If i want to use same site B range with SIte A range ,  is there any problem i can  face with this configuration

Regards,

Prashant

8 REPLIES

Re: Site To site Vpn Site A(public ip) Site B(Private ip)

"If i want to use same site B range with SIte A range ,  is there any problem i can  face with this configuration"

there is no problem whatsoever, whether you use public address or private address. 

In the interesting traffic crypto ACL you use the public address and there is one difference there though that is no need for no-nat when you are using public address in the crypto ACL.

Hope that answers your question

thanks

Rizwan Rafeek

New Member

Site To site Vpn Site A(public ip) Site B(Private ip)

Thanks ,

So i have to configure like below:-

Note ip:   Site B-10.x.x.x    SIte A 196.x.x.x  Site C 10.x.x.x

Between site B and site c                                    

access-list nonat extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

I have the congiuration As mention for Site to SIte Vpn between Site A and site C.

Now if i want to use Public Ip For site A

Then configuration on site B should be as:-

access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 196.x.x.x 255.255.255.0

Am i correct on above configuration

Regards,

Prashant

Re: Site To site Vpn Site A(public ip) Site B(Private ip)

"access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 196.x.x.x 255.255.255.0"

Yes ACL looks fine, please make sure, mask on the 196 public address and its network address.

You also want to use different name on the ACL as "outside_3_cryptomap" instead of "outside_2_cryptomap"

Thanks

New Member

Site To site Vpn Site A(public ip) Site B(Private ip)

Thanks for reply

i will take of crypomap access list name as well as public ip range.

Regards,

Prashant

New Member

Site To site Vpn Site A(public ip) Site B(Private ip)

Hi,

Below is the my final configuration using ASDM

Any modification required

crypto isakmp enable outside1

      asdm location 10.x.x.0 255.255.255.0 inside

      asdm location 182.x.x.x 255.255.255.240 inside

access-list outside1_1_cryptomap line 1 extended permit ip 10.x.x.0 255.255.255.0 182.x.x.x 255.255.255.240

access-list inside_nat0_outbound line 1 extended permit ip 10.x.x.0 255.255.255.0 182.x.x.x 255.255.255.240- removed

    tunnel-group 182.x.x.x type ipsec-l2l

    tunnel-group 182.x.x.x ipsec-attributes

    pre-shared-key ***********

        isakmp keepalive threshold 10 retry 2

    crypto isakmp policy 10 authen pre-share

        crypto isakmp policy 10 encrypt 3des

        crypto isakmp policy 10 hash sha

        crypto isakmp policy 10 group 2

        crypto isakmp policy 10 lifetime 86400

        crypto ipsec transform-set ctrls esp-3des esp-sha-hmac

    crypto map outside1_map 1 match address outside1_1_cryptomap

    crypto map outside1_map 1 set  peer  182.x.x.x

        crypto map outside1_map 1 set  transform-set  ctrls

        crypto map outside1_map interface  outside1

     nat (inside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0 -----removed

Regards,

Prashant

Site To site Vpn Site A(public ip) Site B(Private ip)

Try without no nat.

you do not need this line: nat (inside) 0 access-list inside_nat0_outbound

It should work

thanks

New Member

Site To site Vpn Site A(public ip) Site B(Private ip)

Hi,

My senario is changed a little bit

Now senario is as

SIte A And SIte B already has a tunnel with private ip.

Now Site A want to configure a new Site to Site Vpn with SIte C(Public ip) with Nating of private LAN range to Public ip RANGE.

SO Is there is any problem in exsing site to site VPN with No NAT

lets take a example

Existing VPN b/w Site A and Site B

access-list nonat extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

Now i want to NAT Same lan range with public ip and want to use that Public ip range in Site to site VPN with SIte C

Please Help me....

Re: Site To site Vpn Site A(public ip) Site B(Private ip)

You need a policy nat.

STEP 1:

access−list policy−nat-acl extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0

Identify interesting traffic as source and destination needed to be natted on above ACL.

-------------------------------------------------------------

STEP 2:

static (inside,outside) xxx.xxx.xxx.xxx access−list policy−nat-acl

Now static-nat your source-private to pbulic address in the "xxx.xxx.xxx.xxx" use the public ip range as you wish.

-------------------------------------------------------------

STEP3:

access−list outside_4_cryptomap extended permit ip xxx.xxx.xxx.xxx mask.mask.mask.mask 172.x.0.0 255.255.0.0

in the crypto-acl above you could use network address itself plus its mask or an IP address along but be consistance with step 2, the remainging config is just like regular vpn tunnel setup.

Thanks

Rizwan Rafeek

1126
Views
8
Helpful
8
Replies
CreatePlease login to create content