Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Tunnel some trafic (public host) from a remote site through a site-to-site vpn

Hello

I tried, but I did not find solution to my problem.

On remote site I have Cisco ASA 5505, on cental site I have Cisco 2811 router, working site-to-site VPN tunnel.

Cisco ASA 5505 on remote site :

Outside interface - ISP Internet

Inside interface - 10.110.17.1 (local lan. 10.110.17.0/24)

Central site :

FastEthernet0/0 - 10.110.0.1 (local lan 10.110.0.0/24)

FastEthernet0/1- ISP Internet

Cisco ASA configuration :

object-group network DM_INLINE_NETWORK_1
network-object 10.110.0.0 255.255.255.0
network-object host public_host_IP

access-list outside_1_cryptomap extended permit ip 10.110.17.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound_1 extended permit ip 10.110.17.0 255.255.255.0 10.110.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.110.17.0 255.255.255.0 host public_host_IP

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 101 0.0.0.0 0.0.0.0

access-group 121 in interface inside

route outside 0.0.0.0 0.0.0.0 ISP_gateway_IP 1

Central site :

access-list 119 remark IPSec Rule

access-list 119 permit ip 10.110.0.0 0.0.0.255 10.110.17.0 0.0.0.255

access-list 119 permit ip host public_host_IP 10.110.17.0 0.0.0.255

map SDM_CMAP_1 x ipsec-isakmp

set peer Remote_Site_Public_IP

...

match address 119

interface FastEthernet0/0

ip address 10.110.0.1 255.255.255.0

ip access-group 121 in

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

no mop enabled

!

interface FastEthernet0/1

  ip address Public_IP

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

no mop enabled

crypto map SDM_CMAP_1

route-map SDM_RMAP_1 permit 1

match ip address 101

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

route-map SDM_RMAP_1 permit 1
match ip address 101

access-list 101 deny   ip 10.110.0.0 0.0.0.255 10.110.17.0 0.0.0.255

access-list 101 permit ip 10.110.0.0 0.0.0.255 any

Ping from 10.110.17.0 subnet on ASA :

6Feb 06 201206:25:5930202066.39.41.110.110.17.11Built outbound ICMP connection for faddr public_host_IP/0 gaddr 10.110.17.11/512 laddr 10.110.17.11/512

6Feb 06 201206:26:4730202166.39.41.110.110.17.11Teardown ICMP connection for faddr public_host_IP/0 gaddr 10.110.17.11/512 laddr 10.110.17.11/512


Any help is welcome and sorry for my english !

1 REPLY

Tunnel some trafic (public host) from a remote site through a si

Hello,

1- On the Crypto and NO nat configuration you do not need to match the traffic to the public ip address of the remote site.

2-Can you share the full crypto configuration ( isakamp,transform-set,crypto-map and tunnel group)of both sites ( of course you can hide the crypto key),

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
604
Views
0
Helpful
1
Replies
CreatePlease to create content