I have two sites, say A and B. I need to do VPN between between these two sites.
In Site A LAN, we have a server which is NATed to a public IP. In site B, we have another server which is also NATed to a public IP. I need to permit these public IP's in the VPN ACL. We have an ASA in site A and Cisco 2801 router in site B.
In site A where we have the ISA, I didn't give the NAT exemption rule and I could bring up the VPN from site A. But I am not able to bring up the tunnel from site B.
Site A's vpn acl
access-list outside_cryptomap_1 extended permit ip host a.b.c.d host p.q.r.s
Site B acl
permit ip host p.q.r.s host a.b.c.d
where a.b.c.d is the public IP to which we have NATed the server in Site A
and p.q.r.s is the public IP to which we have NATed the other server in Site B
I seem to be missing something in site B. the reason I say this is, I don;t see any hits in "permit ip host p.q.r.s host a.b.c.d" acl in site B when I try to ping a.b.c.d from the server p.q.r.s. This server is located in a LAN with private IP which is NATed in the router.
Please let me know if you need more explanation on my scenario. Any help greatly appreciated.
Since the tunnel is coming up when you initiate a tunnel from Site A, it does not seem to be an issue with the crypto configuration.It probably seems to be an issue with routing or NATing at Site B because of which there are no hits on the ACL.
When you bring up the tunnel from Site A, are you able to access the p.q.r.s from a.b.c.d ?
Could you also attach the config and the "show ip route" output from the router at site B.
Also, could you please confirm that the traffic (from server p.q.r.s to a.b.c.d) is reaching the router at Site B. This is to eliminate any routing issues in the internal network at site B.
Yes, the issue is not with the VPN configuration. It has something to do with NAT or routing.
I am you able to access the p.q.r.s from a.b.c.dand I could see hits in Site B router vpn acl.
RMPA-R-001_2801#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is yy.yy.yy.yy (my ISP gateay IP) to network 0.0.0.0
S 192.168.45.0/24 [1/0] via 192.168.6.1 S 192.168.42.0/24 [1/0] via 192.168.6.1 S 192.168.40.0/24 [1/0] via 192.168.6.1 S 192.168.41.0/24 [1/0] via 192.168.6.1 S 192.168.5.0/24 is directly connected, FastEthernet0/0 192.168.6.0/24 is variably subnetted, 3 subnets, 2 masks S 192.168.6.0/32 [1/0] via 192.168.6.1 C 192.168.6.0/24 is directly connected, FastEthernet0/0 S 192.168.6.20/32 [1/0] via 192.168.6.1 p.0.0.0/28 is subnetted, 1 subnets C xx.xx.xx.xx is directly connected, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via yy.yy.yy.yy (my ISP gateay IP)
Below is the NAt rules in the router config:
ip nat pool isp_nat_pool netmask 255.255.255.248 ip nat inside source route-map isp pool reliance_nat_pool overload
ip nat inside source static 192.168.42.25 p.q.r.s
where 192.168.42.25 is the internal IP if the server
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...