09-18-2011 10:57 AM - edited 03-11-2019 02:26 PM
Hi All
My setup..
Site 1: Cisco ASA 5505 Firewall running 8.4.1
Site 2: Cisco 877 Router
Between the 2 of these I have a working site to site VPN setup. The only issue is if a NAT rule is set up on the remote office, to access that I have to use to the external IP and go via the NAT. I can't do it 'internally' via the VPN. Why?
Example:
I'm at site 1 on my laptop with an IP assigned by DHCP of 192.168.1.123.
At site 2 I have a server on 192.168.2.10 running a web server on port 80. Site 2's external public IP is 12.34.56.78.
If I want to access that web server from my laptop at site one, visiting http://192.168.2.10/ does not work. I have to go to http://12.34.56.78/. If I have a server running but with no NAT set up to the WAN for it I can access it fine. The problem only exists one way. I don't have the issue at site 2 when trying to access servers at site 1.
Config at site 1:
object network LocalLAN
subnet 192.168.1.0 255.255.255.0
object network RemoteLAN
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static LocalLAN LocalLAN destination static RemoteLAN RemoteLAN
object network LocalLAN
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 33.44.55.66 1
Config at site 2:
ip nat inside source list 140 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.10 80 interface Dialer0 80
interface Dialer0
ip access-group 110 in
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
access-list 110 permit tcp any any eq 80
access-list 140 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 permit ip 192.168.2.0 0.0.0.255 any
Where am I going wrong please?
Thanks Shell_
09-18-2011 11:10 AM
Hi,
Do you have the private ip of server defined in the crypto ACL on ASA, can yolu provide the interesting config from both the devices?
Thanks
Varun
09-19-2011 03:44 AM
Hi
This bit?
access-list outside_cryptomap extended permit ip object LocalLAN object RemoteLAN
crypto map mymap 1 match address outside_cryptomap
Surely it's something to do with NAT though on the 877? If it's not NATd to the WAN on the 877 then it works fine.
I will post the full configs when I have time, there's a lot of xx'ing out etc I'll need to do!
Any ideas from any one though, please shout up
Thanks
Shell_
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide