Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA Private local networks

Is there any way to connect a l2l VPN without using public NATs when one of the sites contains private IP's (ie 10's, 172's)?  I'm using a public NAT to route our private IP but distant end is not using a NAT.   My Cisco ASA is on ver 9.1(1)

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

So you are unable to get

So you are unable to get connectivity between the two encrypted domains. This is because of your route for 10.0.0.0/8 pointing to the inside on your ASA.  You need to either enter a route pointing to the outside for 10.111.40.208/28 or configure more specific routes for the inside networks.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
7 REPLIES
VIP Green

Not exactly sure what you are

Not exactly sure what you are asking here.

But when doing a L2L VPN you do not want to NAT the local (private) IPs...normally.  So you would just set up a L2L VPN between your ASA and the remote site, make sure that both sides have crypto ACLs (that define traffic to be encrypted) that are the mirror image of eachother and have NAT statements that prevent the VPN traffic from being NATed.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hopefully i can clarify.

Hopefully i can clarify.

 

encrypt domain 10.120.1.141 --->Local ASA inside 10.120.1.1 --->Local ASA outside 72.30.40.1 <--->Remote ASA peer ip 129.70.32.4<---public NAT 129.70.32.50 <---encrypt domain 10.111.40.208 /28

 

I'm new at this ASA stuff, hope this doesn't confuse things.   The tunnel does come up when remote site initiates.   I have a  static route for all 10.0.0.0 /8 pointing inside on my ASA.

VIP Green

So you are unable to get

So you are unable to get connectivity between the two encrypted domains. This is because of your route for 10.0.0.0/8 pointing to the inside on your ASA.  You need to either enter a route pointing to the outside for 10.111.40.208/28 or configure more specific routes for the inside networks.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Can't change the 10.0.0.0/8

Can't change the 10.0.0.0/8 route.   The possibilities of what that may impact is scary.  So you saying the other option is to add the 10.111.40.208/28 to my ASA routes?

 

route Outside 10.111.40.208 255.255.255.240 72.30.40.1 1

 

VIP Green

Yes you would need to add

Yes you would need to add that route.  Right now the ASA thinks that all 10.0.0.0 networks are located on the inside interface, so we need to tell the ASA that to reach 10.111.40.208/28 it needs to send traffic through the outside interface.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Thanks for your help.  

Thanks for your help.   Things are working now.

 

Jonathan,

VIP Green

Glad I could help and thanks

Glad I could help and thanks for the rating.

--

Please remember to rate and select a correct answer
37
Views
0
Helpful
7
Replies
CreatePlease to create content