https://community.cisco.com/t5/network-security/vpn-and-nat/m-p/1759497#M530443 <P>Hi All</P><P></P><P>My setup..</P><P></P><P>Site 1: Cisco ASA 5505 Firewall running 8.4.1</P><P>Site 2: Cisco 877 Router</P><P></P><P>Between the 2 of these I have a working site to site VPN setup. The only issue is if a NAT rule is set up on the remote office, to access that I have to use to the external IP and go via the NAT. I can't do it 'internally' via the VPN. Why?</P><P></P><P>Example:</P><P>I'm at site 1 on my laptop with an IP assigned by DHCP of 192.168.1.123.</P><P>At site 2 I have a server on 192.168.2.10 running a web server on port 80. Site 2's external public IP is 12.34.56.78.</P><P></P><P><SPAN>If I want to access that web server from my laptop at site one, visiting </SPAN><A class="jive-link-external-small" href="http://192.168.2.10/" target="_blank">http://192.168.2.10/</A><SPAN> does not work. I have to go to </SPAN><A class="jive-link-external-small" href="http://12.34.56.78/" target="_blank">http://12.34.56.78/</A><SPAN>. If I have a server running but with no NAT set up to the WAN for it I can access it fine. The problem only exists one way. I don't have the issue at site 2 when trying to access servers at site 1.</SPAN></P><P></P><P>Config at site 1:</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>object network LocalLAN</P><P> subnet 192.168.1.0 255.255.255.0</P><P>object network RemoteLAN</P><P> subnet 192.168.2.0 255.255.255.0</P><P></P><P>nat (inside,outside) source static LocalLAN LocalLAN destination static RemoteLAN RemoteLAN</P><P></P><P>object network LocalLAN</P><P> nat (inside,outside) dynamic interface</P><P></P><P>route outside 0.0.0.0 0.0.0.0 33.44.55.66 1</P></PRE><P></P><P>Config at site 2:</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>ip nat inside source list 140 interface Dialer0 overload</P><P>ip nat inside source static tcp 192.168.2.10 80 interface Dialer0 80</P><P></P><P>interface Dialer0</P><P> ip access-group 110 in</P><P></P><P>ip route 0.0.0.0 0.0.0.0 Dialer0 permanent</P><BR /><P>access-list 110 permit tcp any any eq 80</P><P></P><P>access-list 140 deny&nbsp;&nbsp; ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255</P><P>access-list 140 permit ip 192.168.2.0 0.0.0.255 any</P></PRE><P></P><P>Where am I going wrong please? <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Thanks Shell_</P> Mon, 11 Mar 2019 21:26:37 GMT shell_uk_ 2019-03-11T21:26:37Z https://community.cisco.com/t5/network-security/vpn-and-nat/m-p/1759497#M530443 <P>Hi All</P><P></P><P>My setup..</P><P></P><P>Site 1: Cisco ASA 5505 Firewall running 8.4.1</P><P>Site 2: Cisco 877 Router</P><P></P><P>Between the 2 of these I have a working site to site VPN setup. The only issue is if a NAT rule is set up on the remote office, to access that I have to use to the external IP and go via the NAT. I can't do it 'internally' via the VPN. Why?</P><P></P><P>Example:</P><P>I'm at site 1 on my laptop with an IP assigned by DHCP of 192.168.1.123.</P><P>At site 2 I have a server on 192.168.2.10 running a web server on port 80. Site 2's external public IP is 12.34.56.78.</P><P></P><P><SPAN>If I want to access that web server from my laptop at site one, visiting </SPAN><A class="jive-link-external-small" href="http://192.168.2.10/" target="_blank">http://192.168.2.10/</A><SPAN> does not work. I have to go to </SPAN><A class="jive-link-external-small" href="http://12.34.56.78/" target="_blank">http://12.34.56.78/</A><SPAN>. If I have a server running but with no NAT set up to the WAN for it I can access it fine. The problem only exists one way. I don't have the issue at site 2 when trying to access servers at site 1.</SPAN></P><P></P><P>Config at site 1:</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>object network LocalLAN</P><P> subnet 192.168.1.0 255.255.255.0</P><P>object network RemoteLAN</P><P> subnet 192.168.2.0 255.255.255.0</P><P></P><P>nat (inside,outside) source static LocalLAN LocalLAN destination static RemoteLAN RemoteLAN</P><P></P><P>object network LocalLAN</P><P> nat (inside,outside) dynamic interface</P><P></P><P>route outside 0.0.0.0 0.0.0.0 33.44.55.66 1</P></PRE><P></P><P>Config at site 2:</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>ip nat inside source list 140 interface Dialer0 overload</P><P>ip nat inside source static tcp 192.168.2.10 80 interface Dialer0 80</P><P></P><P>interface Dialer0</P><P> ip access-group 110 in</P><P></P><P>ip route 0.0.0.0 0.0.0.0 Dialer0 permanent</P><BR /><P>access-list 110 permit tcp any any eq 80</P><P></P><P>access-list 140 deny&nbsp;&nbsp; ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255</P><P>access-list 140 permit ip 192.168.2.0 0.0.0.255 any</P></PRE><P></P><P>Where am I going wrong please? <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Thanks Shell_</P> Mon, 11 Mar 2019 21:26:37 GMT https://community.cisco.com/t5/network-security/vpn-and-nat/m-p/1759497#M530443 shell_uk_ 2019-03-11T21:26:37Z https://community.cisco.com/t5/network-security/vpn-and-nat/m-p/1759498#M530449 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Do you have the private ip of server defined in the crypto ACL on ASA, can yolu provide the interesting config from both&nbsp; the devices?</P><P></P><P>Thanks</P><P>Varun</P></BODY></HTML> Sun, 18 Sep 2011 18:10:57 GMT https://community.cisco.com/t5/network-security/vpn-and-nat/m-p/1759498#M530449 varrao 2011-09-18T18:10:57Z https://community.cisco.com/t5/network-security/vpn-and-nat/m-p/1759499#M530452 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>This bit?</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>access-list outside_cryptomap extended permit ip object LocalLAN object RemoteLAN</P><P>crypto map mymap 1 match address outside_cryptomap</P></PRE><P></P><P>Surely it's something to do with NAT though on the 877? If it's not NATd to the WAN on the 877 then it works fine.</P><P></P><P>I will post the full configs when I have time, there's a lot of xx'ing out etc I'll need to do!</P><P></P><P>Any ideas from any one though, please shout up <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Thanks</P><P>Shell_</P></BODY></HTML> Mon, 19 Sep 2011 10:44:40 GMT https://community.cisco.com/t5/network-security/vpn-and-nat/m-p/1759499#M530452 shell_uk_ 2011-09-19T10:44:40Z