03-26-2007 12:36 AM
SITE 1>
|
SERVER
|
7600(WITH vpn encryption module)
|
|
|
|
|
SITE 2>
Cisco 2800 Router
|
|
CISCO ASA(7.2.2 VERSION)
|
|
|
LAN SWITCH
|
|
SERVER(192.168.200.204--NATTED TO A PUBLIC IP 124.X.X.X)
Above is the network.Is it possible to establish l2l vpn connectivity between the two servers mentioned between site1 and 2.Site 2 server is statically natted to a public ip.If yes could some one suggest on the acls that needs to be applied.
regards..Jithesh
03-26-2007 06:57 AM
Hi Jithesh,
I assume that the L2L tunnel is going to be between the 2800 router on site 2 and 7600 router in site 1. Do you need the server on site 2 to be accessed with the NATed IP or with the private IP through the tunnel. If you need it to be accessed with the nated IP then you need to include the public IP in the crypto ACL on both ends. On site 2, it should be the source and on site 1 it should be the destination. If you need to access it using the physical IP, then you need to configure the physical ip in the crypto ACLs and make sure that you bypass the NAT on the 2800 router.
HTH,
Please let me know if you need further clarification and rate if it helps,
Regards,
Kamal
03-27-2007 12:04 AM
Hi Kamal,
Thanks for responding.
Basically am doing a static nat in the ASA(site2) like shown below.
static (inside,outside) 124.x.88.117 192.168.200.204
I have a crypto acl as below.
access-list cryptoacl extended permit ip host 124.x.88.117 host 194.31.x.106
where 194.31.x.106 is the server at Site 1.
I apply the same cryptoacl as the matching traffic in the cryptomap config as well.
Am also configuring the crypto map to set the peer ip to the site 1 7200 public IP:ie 194.x.x.177.
Do i have to open any ports in the 2800 router(site 2) for allowing reply packets from the site 1.If so should i be specifically allowing ports 500,4500 etc.Need your suggestion if am going right in my understanding.Site 1 has permitted traffic from my natted IP and they have also set the peer appropriately.My doubts are all pertaining to site 2, where am configuring the ASA
regards...Jithesh
03-27-2007 12:09 AM
Kindly let me know if i can be natting the traffic and sending it over the vpn tunnel, or as in many other documents its suggested to do a nat 0 and then send those traffic to the site 1.
regards..Jithesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: