Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

L2L VPN BY DOING STATIC NAT FOR THE SERVER BEHIND THE GATEWAY?IS IT POSSIBL

SITE 1>

|

SERVER

|

7600(WITH vpn encryption module)

|

|

|

|

|

SITE 2>

Cisco 2800 Router

|

|

CISCO ASA(7.2.2 VERSION)

|

|

|

LAN SWITCH

|

|

SERVER(192.168.200.204--NATTED TO A PUBLIC IP 124.X.X.X)

Above is the network.Is it possible to establish l2l vpn connectivity between the two servers mentioned between site1 and 2.Site 2 server is statically natted to a public ip.If yes could some one suggest on the acls that needs to be applied.

regards..Jithesh

3 REPLIES
Cisco Employee

Re: L2L VPN BY DOING STATIC NAT FOR THE SERVER BEHIND THE GATEWA

Hi Jithesh,

I assume that the L2L tunnel is going to be between the 2800 router on site 2 and 7600 router in site 1. Do you need the server on site 2 to be accessed with the NATed IP or with the private IP through the tunnel. If you need it to be accessed with the nated IP then you need to include the public IP in the crypto ACL on both ends. On site 2, it should be the source and on site 1 it should be the destination. If you need to access it using the physical IP, then you need to configure the physical ip in the crypto ACLs and make sure that you bypass the NAT on the 2800 router.

HTH,

Please let me know if you need further clarification and rate if it helps,

Regards,

Kamal

Re: L2L VPN BY DOING STATIC NAT FOR THE SERVER BEHIND THE GATEWA

Hi Kamal,

Thanks for responding.

Basically am doing a static nat in the ASA(site2) like shown below.

static (inside,outside) 124.x.88.117 192.168.200.204

I have a crypto acl as below.

access-list cryptoacl extended permit ip host 124.x.88.117 host 194.31.x.106

where 194.31.x.106 is the server at Site 1.

I apply the same cryptoacl as the matching traffic in the cryptomap config as well.

Am also configuring the crypto map to set the peer ip to the site 1 7200 public IP:ie 194.x.x.177.

Do i have to open any ports in the 2800 router(site 2) for allowing reply packets from the site 1.If so should i be specifically allowing ports 500,4500 etc.Need your suggestion if am going right in my understanding.Site 1 has permitted traffic from my natted IP and they have also set the peer appropriately.My doubts are all pertaining to site 2, where am configuring the ASA

regards...Jithesh

Re: L2L VPN BY DOING STATIC NAT FOR THE SERVER BEHIND THE GATEWA

Kindly let me know if i can be natting the traffic and sending it over the vpn tunnel, or as in many other documents its suggested to do a nat 0 and then send those traffic to the site 1.

regards..Jithesh

135
Views
0
Helpful
3
Replies