Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Outside address for L2L


Im trying to setup a L2L VPN between 2 ASA.

ASA at site A has a public IP address.

At site B, instead, the ISP router forwards all the incoming traffic for a pool of public IP addresses to a group of private addresses configured on the ASA.

I wish to use one of these IP addresses for a L2L VPN between the 2 sites.

The doubt i have is which IP address should i specify for the tunnel.

So far i used a private IP address as L2L peer, however apparently it doesn't work.

Does anybody can give me some feedback about the config?


Re: Outside address for L2L

In site A, you definitely need to use the public ip address that the router is natting the Site B ASA to. If you don't have one you could use the public ip of the router and forward to the outside of ASA.

crypto map OUTSIDE 20 set peer

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

Option 2 would be to create a dynamic tunnel where no peer address is specified in Site A ASA. In this case you would do this...

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

Community Member

Re: Outside address for L2L

If i have understood:

- at site-A is necessary

nat (inside) 0 access-list #interesting traffic to site B#

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

no global (outside) statement? or do i need a global statement in order to have private network traffic traversing the public network?

at site B:

same question, except i will use tunnel-group with the public ip address.

Furthermore: should i use the ip address of outside interface or for the tunnel peer?

I mean: site A has ip 82.x.y.z on the outside, however the hosts are natted to 82.x.y.w.

CreatePlease to create content