03-08-2012 11:14 AM - edited 03-11-2019 03:39 PM
Hi,
i want to configure site to site as
Site A want to use public ip range in interesting traffic
site B want to use private ip range in interesting traffic
site A range 196.x.x.x/255.255.255.0
Site B range 172.16.4.0/255.255.252.0
Note site B also has a site to site tunnel with another client(SIte c)
SIte B and Site C has private ip in vpn.
Please clear my doubt.
SIteA(196.x.x.x./24)............>Site B(172.16.x.x/16)
\\------------------------------------>Site C(10.10.x.x/16)
No nat
currently i am using no nat b/w site B and site c
If i want to use same site B range with SIte A range , is there any problem i can face with this configuration
Regards,
Prashant
03-08-2012 08:24 PM
"If i want to use same site B range with SIte A range , is there any problem i can face with this configuration"
there is no problem whatsoever, whether you use public address or private address.
In the interesting traffic crypto ACL you use the public address and there is one difference there though that is no need for no-nat when you are using public address in the crypto ACL.
Hope that answers your question
thanks
Rizwan Rafeek
03-08-2012 09:11 PM
Thanks ,
So i have to configure like below:-
Note ip: Site B-10.x.x.x SIte A 196.x.x.x Site C 10.x.x.x
Between site B and site c
access-list nonat extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0
I have the congiuration As mention for Site to SIte Vpn between Site A and site C.
Now if i want to use Public Ip For site A
Then configuration on site B should be as:-
access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 196.x.x.x 255.255.255.0
Am i correct on above configuration
Regards,
Prashant
03-08-2012 09:32 PM
"access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 196.x.x.x 255.255.255.0"
Yes ACL looks fine, please make sure, mask on the 196 public address and its network address.
You also want to use different name on the ACL as "outside_3_cryptomap" instead of "outside_2_cryptomap"
Thanks
03-08-2012 09:38 PM
Thanks for reply
i will take of crypomap access list name as well as public ip range.
Regards,
Prashant
03-08-2012 10:52 PM
Hi,
Below is the my final configuration using ASDM
Any modification required
crypto isakmp enable outside1
asdm location 10.x.x.0 255.255.255.0 inside
asdm location 182.x.x.x 255.255.255.240 inside
access-list outside1_1_cryptomap line 1 extended permit ip 10.x.x.0 255.255.255.0 182.x.x.x 255.255.255.240
access-list inside_nat0_outbound line 1 extended permit ip 10.x.x.0 255.255.255.0 182.x.x.x 255.255.255.240- removed
tunnel-group 182.x.x.x type ipsec-l2l
tunnel-group 182.x.x.x ipsec-attributes
pre-shared-key ***********
isakmp keepalive threshold 10 retry 2
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ctrls esp-3des esp-sha-hmac
crypto map outside1_map 1 match address outside1_1_cryptomap
crypto map outside1_map 1 set peer 182.x.x.x
crypto map outside1_map 1 set transform-set ctrls
crypto map outside1_map interface outside1
nat (inside) 0 access-list inside_nat0_outbound tcp 0 0 udp 0 -----removed
Regards,
Prashant
03-09-2012 01:36 AM
Try without no nat.
you do not need this line: nat (inside) 0 access-list inside_nat0_outbound
It should work
thanks
03-09-2012 05:57 AM
Hi,
My senario is changed a little bit
Now senario is as
SIte A And SIte B already has a tunnel with private ip.
Now Site A want to configure a new Site to Site Vpn with SIte C(Public ip) with Nating of private LAN range to Public ip RANGE.
SO Is there is any problem in exsing site to site VPN with No NAT
lets take a example
Existing VPN b/w Site A and Site B
access-list nonat extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0
Now i want to NAT Same lan range with public ip and want to use that Public ip range in Site to site VPN with SIte C
Please Help me....
03-09-2012 08:00 AM
You need a policy nat.
STEP 1:
access−list policy−nat-acl extended permit ip 10.x.x.0 255.255.255.0 172.x.0.0 255.255.0.0
Identify interesting traffic as source and destination needed to be natted on above ACL.
-------------------------------------------------------------
STEP 2:
static (inside,outside) xxx.xxx.xxx.xxx access−list policy−nat-acl
Now static-nat your source-private to pbulic address in the "xxx.xxx.xxx.xxx" use the public ip range as you wish.
-------------------------------------------------------------
STEP3:
access−list outside_4_cryptomap extended permit ip xxx.xxx.xxx.xxx mask.mask.mask.mask 172.x.0.0 255.255.0.0
in the crypto-acl above you could use network address itself plus its mask or an IP address along but be consistance with step 2, the remainging config is just like regular vpn tunnel setup.
Thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide