We are trying to establish the site to site VPN with a partner who only accepts public IPs as encryption domain. Unfortunately, we have only one public IP address for internet access which means we are doing NAT overload.
My question is how can we configure the same IP assigned to our VPN gateway as encryption domain and map to the original private IPs.
access-list l2lvpn extended permit ip 126.96.36.199 host 10.x.x.70
crypto map test_map 1 match address l2lvpn crypto map test_map 1 set peer 188.8.131.52 crypto map test_map 1 set transform-set ESP-3DES-SHA
tunnel-group 184.108.40.206 type ipsec-l2l tunnel-group 220.127.116.11 ipsec-attributes ikev1 pre-shared-key *
As you can see you are doing the NAT for your internal network to the interface going to 10.x.x.70, this traffic should be going through the VPN tunnel. If you already have the NAT for Interneta where you are NATting everything this should work also, the ASA will know how to send the traffic back to the internal resource.
The only downside is the remote end cannot initiate traffic since the ASA will not know where to send the traffic. If you can provide more info I can provide the exact commands for you.
Thank you for the quick response and information. Unfortunately, Our router is not ASA so it is not possible to configure nat (inside, outside). However, we will try to translate your suggestion on the router.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :