Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NATing over Site-to-Site

theis is my VPN Site-to-Site:

myServer->myASA5505<----->otherASA<-otherServer

phase 1 work, phase 2 fail because otherASA expect my traffic to use myASA5505's IP and it is using myServer's IP

so here is the question:

How do I NAT myServer to go out myASA5505 using's the ASA outside interface address?

3 REPLIES
Hall of Fame Super Blue

Re: NATing over Site-to-Site

Ofir

Your crypto mpa access-list needs to use the Natted IP of your server and not the real IP eg.

remote network = 172.16.5.0/24

server real address =- 192.168.5.1

ASA outside interface = 195.177.12.1

access-list vpntraffic permit ip host 195.177.12.1 172.16.5.0 255.255.255.0

the above is what your crypto access-list should look like. At the remote end it should be

access-list vpntraffic permit ip 172.16.5.0 255.255.255.0 host 195.177.12.1

Jon

New Member

Re: NATing over Site-to-Site

few corrections:

remote network is /32 - does it change anything (other then the mask)?

when you refer to server real address that is myServer or the other side?

Hall of Fame Super Blue

Re: NATing over Site-to-Site

"remote network is /32 - does it change anything (other then the mask)?"

No mine was just an example, change to fit your scenario.

"when you refer to server real address that is myServer or the other side?"

Your server that you are Natting.

Jon

109
Views
0
Helpful
3
Replies
CreatePlease login to create content