Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA 5510 l2l IPSEC Questions

I know how to configure pix or asa for lan to lan ipsec vpn tunnels to allow the inside networks at each site to communicate through the tunnel. This requires defining an access list that identifies when traffic from siteA goes to Site B bypass the natting process. (i.e. nat (inside) 0 access-list nonat).

Now I have a customer that needs a additional tunnel setup that needs their internal private ip's natted to a publicly routable address and then tunneled. Here is the remote sites VPN requirments.

Checkpoint NG w/AI version R60

Gateway IP: 12.5.XX.XX

Encryption: 3DES/MD5/DH Group 2/Disable Perfect Forward Secrecy

Preshared Key: TBD over the phone

IKE Phase 1 Timeout: 1440 minutes

IPSec Phase 2 Timeout: 3600 seconds

Host to access: over TCP Port 23 (standard telnet)

"We will need you to NAT all your internal IP's to an external routable IP address.

That can either be the external interface of your firewall, or another public routable IP address on that network. "

Can this be done with the ASA and if so how do you nat before the ipsec process?

Cisco Employee

Re: ASA 5510 l2l IPSEC Questions

Yes this can be done, quite easily actually. Just keep in mind that NAT happens BEFORE IPSec within the ASA. Let's say your inside is, the remote inside is, and you have to NAT the entire network to

access-list l2l permit ip

access-list crypto permit ip host

Define policy-NAT to only NAT the L2L traffic as such

nat (inside) 5 access-list l2l

global (outside) 5

Then your crypto map points to the already-NAT'd traffic as what to send over the tunnel:


crypto map mymap 10 match address crypto


Make sure you don't have traffic from to defined in any "nat 0 access-list" ACL, cause this will override the policy NAT statement defined. You actually want to NAT this traffic and that's done by the policy-NAT, BEFORE the encryption part of things, so your crypto map ACL simply specifies the already NAT'd traffic.

Also make sure the remote end has the exact opposite ACL on their end, encrypt traffic FROM going TO host

Community Member

Re: ASA 5510 l2l IPSEC Questions

So if I already have a global pool on the outside interface address (i.e. global (outside) 1 interface) Then all I really need to do is define the access list to match traffic from my inside network to the remote site's host address and then setup my l2l tunnel group using that access list and all traffice matching the list will be natted to my public outside interface address, then encrypted, and delivered over the tunnel and as long as the remote site has the exact opposite access list pointing from their inside host address to my public outside interface address, return traffic should be encrypted and sent back to me.

If this is all I have to do then I guess I was making it too difficult in my head.

Thanks for your help.

CreatePlease to create content