I had to say that I need to translate the IP 22.214.171.124 in 10.21.1.1 because I am using it in a VPN :
access-list no_nat extended permit ip host 10.21.1.1 10.20.0.0 255.255.0.0
crypto map vpn 11 set peer 888.888.888.888
The VPN is working.
I had to translate the IP 126.96.36.199 because I will have 11 Cisco for 11 diferents sites and they all will have the same local IP (188.8.131.52) and I need to setup a VPN between all this 11 Cisco and my Cisco in central.
1. Based on your info, you have overlap IP between the sites. So you do need NAT ip 184.108.40.206 to 10.21.1.1 before the packet goes into VPN tunnel. ACL no_nat will not be used.
2. Will the traffic to the internet go to VPN tunnel first and then access internet from your central site? Or it will access the internet locally? I don't have the full config of this ASA and not sure if you are using split-tunnel.
3. My guess is:
- You have dynamic nat configured on this ASA to NAT the traffic to internet
- After you add static NAT for host 220.127.116.11, it will take priority over dynamic nat and as a result it will be NATed to a private IP. Therefore, no internet access anymore.
- If the above is true, you should use a Policy static NAT here.
static (inside,outside) 10.20.1.1 access-list VPN
access-list vpn permit ip host 18.104.22.168 10.20.0.0 255.255.0.0
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :