Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN with external ip

Hi,

I need to setup a VPN tunnel from our 5200 ASA (8.2.1) using an external ip.

This is what I wanted todo but not sure how:

10.0.0.0/24 --> Global nat (66.0.0.135) -> VPN -> other side 47.0.0.47

I would like to have the ability to use any of my hosts on the 10.0.0.0 network to grab a NAT .135 and go through that VPN tunnel but I'm not sure that is possible..

My other option would be:

10.0.0.10 --> NAT 66.0.0.136 -> VPN -> other side 47.0.0.47

This is not a great solution since I need more than one internal host to talk to the .47 on the other end of the tunnel.

my inside interface has 10.0.0.0/24

my outside is 66.0.0.134/26

  • VPN
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

VPN with external ip

Hi Freddy,

What you need is policy-based static nat for site to site vpn tunnel.

Please follow Cisco doc link below, it explains how you can implement your soulution.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Please let me know, if this helps.

thanks

Rizwan Rafeek

3 REPLIES

VPN with external ip

Hi Freddy,

What you need is policy-based static nat for site to site vpn tunnel.

Please follow Cisco doc link below, it explains how you can implement your soulution.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Please let me know, if this helps.

thanks

Rizwan Rafeek

New Member

VPN with external ip

it helps but now I get this:

global address overlaps with mask

access-list policy-nat extended permit ip 10.0.0.0 255.255.255.0 host 64.0.0.227

static (inside,outside) 66.0.0.128 access-list policy-nat

I have a global nat that translates ant to 66.0.0.135:

access-list nonat10 extended permit ip 10.0.0.0 255.255.254.0 192.168.200.0 255.255.255.0

global (outside) 1 66.0.0.135 netmask 255.255.255.192

nat (inside) 0 access-list nonat10

nat (inside) 1 0.0.0.0 0.0.0.0

VPN with external ip

Hi Freddy,

You do not have use all the IPs in the pool for policy-static nat but you can use use just a single IP alone.

Please follow the config below.

static (inside,outside) 66.0.0.135 access-list policy-nat

Please let me know,

If this helps.

thanks

493
Views
0
Helpful
3
Replies