https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883753#M958834 <HTML><HEAD></HEAD><BODY><P>George please post your running config </P><P>nat (inside) 6 10.1.1.0 255.255.255.0 </P><P>global (outside) 6 5.5.5.5 </P><P></P><P>This config may prevent your internet access. So please post your config and let me advise</P><P></P><P></P></BODY></HTML> Fri, 14 Dec 2007 19:23:39 GMT Alan Huseyin Kayahan 2007-12-14T19:23:39Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883745#M958826 <P>Hi all,</P><P></P><P>I have a question regarding IPSec site to site VPN.</P><P></P><P>There is an internal network, say 10.1.1.0/24 which NATs to global address 5.5.5.5 on the Outside interface. The remote network is 20.20.20.0/24</P><P></P><P>I want to NAT to the global address then send that over the tunnel.</P><P></P><P>Should the crypto map statement map the inside network 10.1.1.0/24 to the remote network 20.20.20.0/24 or should it map from the global NAT address 5.5.5.5?</P><P></P><P>Hope this is clear, thanks for any replies!</P> Mon, 11 Mar 2019 11:42:45 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883745#M958826 george_daly 2019-03-11T11:42:45Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883746#M958827 <HTML><HEAD></HEAD><BODY><P>Cryptomap should include the global address (NATed), not inside network in your case</P><P></P><P>access-list outside_100_cryptomap permit ip host 5.5.5.5 20.20.20.0 255.255.255.0</P></BODY></HTML> Wed, 12 Dec 2007 10:47:21 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883746#M958827 Alan Huseyin Kayahan 2007-12-12T10:47:21Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883747#M958828 <HTML><HEAD></HEAD><BODY><P>Hi George</P><P> Feel free to ask dependent questions. For example how do you plan Conditional exempt NAT?</P><P></P><P>Regards</P></BODY></HTML> Wed, 12 Dec 2007 11:22:57 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883747#M958828 Alan Huseyin Kayahan 2007-12-12T11:22:57Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883748#M958829 <HTML><HEAD></HEAD><BODY><P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel?</P><P></P><P>Regarding the NAT - I already have exemptions specified from the internal network to the other internal address spaces through a NAT 0 access list if thats what you mean?</P><P></P></BODY></HTML> Wed, 12 Dec 2007 11:49:19 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883748#M958829 george_daly 2007-12-12T11:49:19Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883749#M958830 <HTML><HEAD></HEAD><BODY><P>My typo, I didnt mean exempt. Here is what I mean</P><P> You have a nat statement like following</P><P></P><P>nat (inside) 1 0 0</P><P>global (outside) 1 interface</P><P></P><P>or </P><P></P><P>nat (inside) 1 10.1.1.0 255.255.255.0</P><P>global (outside) 1 interface</P><P></P><P></P><P>Above statements wont let you NAT 10.1.1.0/24 to a 5.5.5.5 outside IP. You should have the following</P><P></P><P></P><P>access-list CNat permit ip 10.1.1.0 255.255.255.0 20.20.20.0 255.255.255.0</P><P>nat (inside) 1 access-list CNat</P><P>nat (inside) 2 0 0</P><P>global (outside) 1 5.5.5.5 255.255.255.255</P><P>global (outside) 2 interface</P><P>access-list outside_100_cryptomap permit ip host 5.5.5.5 20.20.20.0 255.255.255.0</P><P></P><P>Make sure the statements in CNat and outside_100_cryptomap do not exist in your nat exempt rule</P><P></P><P>"So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel"</P><P> No. Your outside interface was peer for tunnel and still is. Your ASA outside to remote ASA outside. You should enable same security interface traffic, If you want to permit traffic from a VPN site, ends at outside interface, to a VPN site again which also ends at outside interface.</P><P></P><P></P><P>Regards</P></BODY></HTML> Wed, 12 Dec 2007 13:02:50 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883749#M958830 Alan Huseyin Kayahan 2007-12-12T13:02:50Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883750#M958831 <HTML><HEAD></HEAD><BODY><P>Thanks for your detailed reply, much appreciated.</P><P></P><P>I'm still not quite there, 10.1.1.0/24 doesn't NAT to 5.5.5.5 I think it just routes directly down the tunnel. This is the config I have currently:</P><P></P><P>access-list outside_cryptomap_20_1 permit ip host 5.5.5.5 20.20.20.0 255.255.255.0</P><P></P><P>access-list outside_nat0_inbound permit ip host 5.5.5.5 20.20.20.0 255.255.255.0</P><P></P><P>nat (inside) 0 access-list NONAT</P><P>nat (inside) 6 10.1.1.0 255.255.255.0</P><P>nat (outside) 0 access-list outside_nat0_inbound outside</P><P>global (outside) 6 5.5.5.5</P><P></P><P>In which access-list do I need to permit 10.1.1.0/24 20.20.20.0/24, or is an additional access-list required?</P><P></P></BODY></HTML> Wed, 12 Dec 2007 15:58:44 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883750#M958831 george_daly 2007-12-12T15:58:44Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883751#M958832 <HTML><HEAD></HEAD><BODY><P>I am also in the same boat. I need to setup a site-to-site VPN connection to a vendor. Because of some addressing conflicts I need to both the hosts that reside on my network and the hosts on the remote side. Is this something that is doable or should I have the vendor do part of the natting.</P></BODY></HTML> Thu, 13 Dec 2007 18:25:17 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883751#M958832 pvaysberg 2007-12-13T18:25:17Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883752#M958833 <HTML><HEAD></HEAD><BODY><P>I found two great docs on this from cisco's site. Finally got my stuff working. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml</A></P><P></P><P>and </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml</A></P><P></P></BODY></HTML> Fri, 14 Dec 2007 16:23:26 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883752#M958833 pvaysberg 2007-12-14T16:23:26Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883753#M958834 <HTML><HEAD></HEAD><BODY><P>George please post your running config </P><P>nat (inside) 6 10.1.1.0 255.255.255.0 </P><P>global (outside) 6 5.5.5.5 </P><P></P><P>This config may prevent your internet access. So please post your config and let me advise</P><P></P><P></P></BODY></HTML> Fri, 14 Dec 2007 19:23:39 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883753#M958834 Alan Huseyin Kayahan 2007-12-14T19:23:39Z https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883754#M958835 <HTML><HEAD></HEAD><BODY><P> Hi Paul</P><P> Just leave a post if you need assistance</P><P></P><P>Regards </P></BODY></HTML> Fri, 14 Dec 2007 19:26:07 GMT https://community.cisco.com/t5/network-security/asa-site-to-site-ipsec-vpn-question/m-p/883754#M958835 Alan Huseyin Kayahan 2007-12-14T19:26:07Z