Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
3
Replies

L2L VPN BY DOING STATIC NAT FOR THE SERVER BEHIND THE GATEWAY?IS IT POSSIBL

Manjunatha Jayaram
Level 1
Level 1

‎03-26-2007 12:36 AM

SITE 1>

|

SERVER

|

7600(WITH vpn encryption module)

|

|

|

|

|

SITE 2>

Cisco 2800 Router

|

|

CISCO ASA(7.2.2 VERSION)

|

|

|

LAN SWITCH

|

|

SERVER(192.168.200.204--NATTED TO A PUBLIC IP 124.X.X.X)

Above is the network.Is it possible to establish l2l vpn connectivity between the two servers mentioned between site1 and 2.Site 2 server is statically natted to a public ip.If yes could some one suggest on the acls that needs to be applied.

regards..Jithesh

Labels:
0 Helpful
3 Replies 3

Kamal Malhotra
Cisco Employee
Cisco Employee

‎03-26-2007 06:57 AM

Hi Jithesh,

I assume that the L2L tunnel is going to be between the 2800 router on site 2 and 7600 router in site 1. Do you need the server on site 2 to be accessed with the NATed IP or with the private IP through the tunnel. If you need it to be accessed with the nated IP then you need to include the public IP in the crypto ACL on both ends. On site 2, it should be the source and on site 1 it should be the destination. If you need to access it using the physical IP, then you need to configure the physical ip in the crypto ACLs and make sure that you bypass the NAT on the 2800 router.

HTH,

Please let me know if you need further clarification and rate if it helps,

Regards,

Kamal

0 Helpful

Manjunatha Jayaram
Level 1
Level 1
In response to Kamal Malhotra

‎03-27-2007 12:04 AM

Hi Kamal,

Thanks for responding.

Basically am doing a static nat in the ASA(site2) like shown below.

static (inside,outside) 124.x.88.117 192.168.200.204

I have a crypto acl as below.

access-list cryptoacl extended permit ip host 124.x.88.117 host 194.31.x.106

where 194.31.x.106 is the server at Site 1.

I apply the same cryptoacl as the matching traffic in the cryptomap config as well.

Am also configuring the crypto map to set the peer ip to the site 1 7200 public IP:ie 194.x.x.177.

Do i have to open any ports in the 2800 router(site 2) for allowing reply packets from the site 1.If so should i be specifically allowing ports 500,4500 etc.Need your suggestion if am going right in my understanding.Site 1 has permitted traffic from my natted IP and they have also set the peer appropriately.My doubts are all pertaining to site 2, where am configuring the ASA

regards...Jithesh

0 Helpful

Manjunatha Jayaram
Level 1
Level 1
In response to Manjunatha Jayaram

‎03-27-2007 12:09 AM

Kindly let me know if i can be natting the traffic and sending it over the vpn tunnel, or as in many other documents its suggested to do a nat 0 and then send those traffic to the site 1.

regards..Jithesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents