Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Policy Nat VPN question

I have a VPN tunnel with the following configuration:

access-list DMZ_nat_static extended permit ip host [actual DMZ IP] host [Remote IP]

access-list Outside_3_cryptomap extended permit ip host [one of my outside IP's] host [Remote IP]

static (DMZ,Outside) [one of my outside IP's] access-list DMZ_nat_static

crypto map Outside_map 3 match address Outside_3_cryptomap

crypto map Outside_map 3 set peer REMOTE GATEWAY IP

crypto map Outside_map 3 set transform-set ESP-3DES-MD5

tunnel-group REMOTE GATEWAY IP type ipsec-l2l

tunnel-group REMOTE GATEWAY IP ipsec-attributes

pre-shared-key *

I have the tunnel created but the remote user cannot connect to my host at the [one of my outside IP's]. So I guess my question is whether this should be working or am I missing something? I am wondering if the NAT that I have is one way or is it both?


Re: Policy Nat VPN question


I am wondering why you are using a static for the VPN tunnel, it would be better if you create a NAT 0 from your local network going to the remote location. Example:

access-list VPN_NAT_0 permit ip host [actual DMZ host] host [remote IP]

nat (DMZ) 0 access-list VPN_NAT_0

Just take out the static and add the above commands, the access list is exactly the same as the one for the crypto map or should be like that.

I hope it helps

CreatePlease to create content