Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
0
Helpful
2
Replies

VPN and NAT

shell_uk_
Level 1
Level 1

‎09-18-2011 10:57 AM - edited ‎03-11-2019 02:26 PM

Hi All

My setup..

Site 1: Cisco ASA 5505 Firewall running 8.4.1

Site 2: Cisco 877 Router

Between the 2 of these I have a working site to site VPN setup. The only issue is if a NAT rule is set up on the remote office, to access that I have to use to the external IP and go via the NAT. I can't do it 'internally' via the VPN. Why?

Example:

I'm at site 1 on my laptop with an IP assigned by DHCP of 192.168.1.123.

At site 2 I have a server on 192.168.2.10 running a web server on port 80. Site 2's external public IP is 12.34.56.78.

If I want to access that web server from my laptop at site one, visiting http://192.168.2.10/ does not work. I have to go to http://12.34.56.78/. If I have a server running but with no NAT set up to the WAN for it I can access it fine. The problem only exists one way. I don't have the issue at site 2 when trying to access servers at site 1.

Config at site 1:

object network LocalLAN
 subnet 192.168.1.0 255.255.255.0
object network RemoteLAN
 subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static LocalLAN LocalLAN destination static RemoteLAN RemoteLAN
object network LocalLAN
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 33.44.55.66 1

Config at site 2:

ip nat inside source list 140 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.10 80 interface Dialer0 80
interface Dialer0
 ip access-group 110 in
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

access-list 110 permit tcp any any eq 80
access-list 140 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 permit ip 192.168.2.0 0.0.0.255 any

Where am I going wrong please?

Thanks Shell_

Labels:
0 Helpful
2 Replies 2

varrao
Level 10
Level 10

‎09-18-2011 11:10 AM

Hi,

Do you have the private ip of server defined in the crypto ACL on ASA, can yolu provide the interesting config from both  the devices?

Thanks

Varun

Thanks,
Varun Rao
0 Helpful

shell_uk_
Level 1
Level 1
In response to varrao

‎09-19-2011 03:44 AM

Hi

This bit?

access-list outside_cryptomap extended permit ip object LocalLAN object RemoteLAN
crypto map mymap 1 match address outside_cryptomap

Surely it's something to do with NAT though on the 877? If it's not NATd to the WAN on the 877 then it works fine.

I will post the full configs when I have time, there's a lot of xx'ing out etc I'll need to do!

Any ideas from any one though, please shout up

Thanks

Shell_

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card