Solved: Site-To-Site VPN via specific address

Plamen Micovic · ‎02-27-2015

Hello all,

We need your assistance in helping us construct a tunnel on ASA 5510 to our vendor's servers . We were given a 10-network unique IP address ( to add a level of complexity, we are using the same network on our internal interface, so I am worried about routing issues) through which we must connect. The security and other parameters are set, but I do not know how to send all traffic addressed to vendor's machines through the tunnel.

Narrative:

Send all traffic from server 192.168.123.456 and subnet 192.168.456.0/24 to 123.456.789.100 through tunnel X via address 10.123.456.789, while making sure that the rest of traffic to outside goes through standard ASA outside interface, and the 10.0.0.0 traffic remains routed properly.

Thanks for your assistance. This issue has been giving me continuous headache, any help would be greatly appreciated.

Regards,

Plamen

Kanwaljeet Singh · ‎02-27-2015

Hi Plamen,

If i have understood correctly, your requirement is below:

Subnet 192.168.45.0/24 should be natted to 10.123.45.78 while it needs to go to 12.45.78.100?

Is that correct? If yes, then you need to do manual nat or twice nat and that should take care of the issue. All other traffic should continue to flow using the existing auto nat rule.

Btw- ip's 456, 789 look funny:)

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

rizwanr74 · ‎02-27-2015

What you need is dynamic-policy nat and I assume your ASA interfaces are named as "inside" and "outside"

access−list policy−nat extended permit host 192.168.123.456 host 123.456.789.100
access−list policy−nat extended permit host 192.168.456.0 255.255.255.0 host 123.456.789.100

access-list crypto-acl1 extended permit ip host 1.2.3.4 host 123.456.789.100

Lets says this is a public address (1.2.3.4) on your side and other remote tunnel peer will accept traffic from your tunnel peer, when traffic is sent from this IP address 1.2.3.4

global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat

crypto map L2L_VPN 3 match address crypto-acl1
crypto map L2L_VPN 3 set peer 10.123.456.789

Hope this helps.

Thanks

View solution in original post

Kanwaljeet Singh · ‎02-27-2015

Hi Plamen,

If i have understood correctly, your requirement is below:

Subnet 192.168.45.0/24 should be natted to 10.123.45.78 while it needs to go to 12.45.78.100?

Is that correct? If yes, then you need to do manual nat or twice nat and that should take care of the issue. All other traffic should continue to flow using the existing auto nat rule.

Btw- ip's 456, 789 look funny:)

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

rizwanr74 · ‎02-27-2015

What you need is dynamic-policy nat and I assume your ASA interfaces are named as "inside" and "outside"

access−list policy−nat extended permit host 192.168.123.456 host 123.456.789.100
access−list policy−nat extended permit host 192.168.456.0 255.255.255.0 host 123.456.789.100

access-list crypto-acl1 extended permit ip host 1.2.3.4 host 123.456.789.100

Lets says this is a public address (1.2.3.4) on your side and other remote tunnel peer will accept traffic from your tunnel peer, when traffic is sent from this IP address 1.2.3.4

global (outside) 2 1.2.3.4
nat (inside) 2 policy−nat

crypto map L2L_VPN 3 match address crypto-acl1
crypto map L2L_VPN 3 set peer 10.123.456.789

Hope this helps.

Thanks