Cisco Support Community
Community Member

second VPN possible ?


I have attached the diagram of the network we are trying to achive. We have a existing VPN tunnel between Cisco ASA firewall - (A End) and Juniper Firewall - (B End). The router is just to forward the packets.

Basically this vpn is between the 10subnet of A End and 192 subnet of B end. Since its on a privaate cloud our routers and asa are on 172.x.x.x range. We have NAT EXEMPT on the CIsco ASA (between 10.10.x.x and 192.x.x.x subnet). we have static routes on our core (A end) pointing to 192.x.x.x subnet to go through firewall (  and similary for B End pointing to 10.x.x.x thorugh firewall  So at the A end, when a packet from 10 subnet reaches the core and see its a 192. subnet and goes through the firewall and there is NO NAT so it reaches the other end at the 10 address. Similary the other end sees its a 10 address and points it back to firewall.  no problem with this. This works great

Now there is a need for a vpn between the second Juniper firewall at A End and Juniper firewall at B end wiht the exisitng tunnel? how we have approached is, we have a 1:1 NAT ( NATs back to on the cisco asa. So the juniper firewall at B end is using a peer addres of which NATs back to - but the tunnel doesnt seem to come up on the juniper firewall - is this setup possible or are we missing on something?

I am thinking of since we have a NAT exempt (between 10.10.x.x subnet and 192.168.x.x subnet), this is causing the problem. As we are using the peer address as but since this gets NATed to (and there is a NAT exemption between 10.10.x.x range and 192.x.x.x range) would this cause the issue ?

any thoughts pls ? if i am unclear on anything pls let me know



second VPN possible ?

Can you narrow down the NAT -> to a specific port instead of just IP to IP?

Because you cannot have both ways, meaning IP to IP NAT is being done -> and pass-through IP traffic going via (without port speficiation) through the ASA-at- at same time. 

Either you can have the cake or eat the cake, while being on IP-to-IP, unless you change the NAT> specific port.

I hope it make sense to you.

Community Member

second VPN possible ?

Thanks rizwan. I have been on other stuff and not able to try this. I will give this a shot next week and update. Thanks for the valuable info

Community Member

second VPN possible ?

the setup that you have shown in the diagram should be functional can you please see if you are able to ping Juniper at A to Juniper at B  or not.

provide crypto ACL is different for the two tunnels.

CreatePlease to create content