Solved: ASA to Cisco ISR VPN

nelson-rick · ‎12-15-2014

I need to create a site-to-site tunnel using one IP Address on my side. In ASA only site-to-site tunnel this isn't a problem but I am bit confused on how I get it to work on the ISR side.

For example here is the commands in the ASA:

global (outside) 2 192.168.96.48 netmask 255.255.255.255
nat (inside) 2 access-list nat_vpn

How do I create these commands on the ISR so the tunnel only uses 192.168.96.48 for all traffic originating on the ISR side going to the ASA side?

Jon Marshall · ‎12-15-2014

I answered this question when you asked it a few days ago -

https://supportforums.cisco.com/discussion/12374976/global-nat-command-asa-how-do-i-do-it-cisco-isr

did you try it and it didn't work ?

Jon

View solution in original post

Jon Marshall · ‎12-15-2014

I answered this question when you asked it a few days ago -

https://supportforums.cisco.com/discussion/12374976/global-nat-command-asa-how-do-i-do-it-cisco-isr

did you try it and it didn't work ?

Jon

nelson-rick · ‎12-18-2014

I tried but unfortunately we need a bidirectional tunnel. I just want to assign one ip on my Cisco ISR side to 192.168.96.48 and allow it to only access 192.168.96.101 & 192.168.96.102 on the ASA side.

Any assistance would be greatly appreciated.

This is what I tried but no luck.

route-map nonat permit 10
match ip address 134

access-list 134 permit ip host 192.168.1.244 host 192.168.96.101

access-list 134 permit ip host 192.168.1.244 host 192.168.96.102
ip nat pool ah_pool 192.168.96.48 192.168.96.48 netmask 255.255.255.252
ip nat inside source route-map nonat pool ah_pool overload

ip nat inside source static 192.168.1.244 192.168.96.101 route-map nonat

ip nat inside source static 192.168.1.245 192.168.96.102 route-map nonat

Jon Marshall · ‎12-18-2014

I think the problem is you are trying to assign both 192.168.1.244 and 192.168.1.245 to the same IP ie. 192.168.96.48.

This will work fine if the connections are only ever initiated from your side ie. the ISR because when the return traffic is sent from the ASA the ISR knows which IP to translate to.

But if the connection is initiated from the ASA end how will the ISR know which IP to translate 192.168.96.48 to ie. there is no translation setup.

Do you have another IP to use in addition to 192.168.96.48 ?

Are the ports on 192.168.1.244/245 the same ports or can you distinguish between those devices based on ports ?

Finally, are you saying this worked with your original ASA configuration that you posted because I'm not sure how it could of.

Jon

nelson-rick · ‎12-18-2014

I have been given one IP to use on my side to connect to theirs.

ISR side I need to nat 192.168.1.16 to 192.168.96.48 to connect to 192.168.96.101 & 102 on the ASA side.

Jon Marshall · ‎12-19-2014

ISR side I need to nat 192.168.1.16 to 192.168.96.48 to connect to 192.168.96.101 & 102 on the ASA side

I'm confused now because your previous configuration shows you trying to NAT 192.168.1.244 and 192.168.1.245 to 192.168.96.48 ?

Can you please clarify exactly what you are trying to do otherwise it's very difficult to help.

Jon

nelson-rick · ‎12-19-2014

Sorry for the confusion but I have to create a tunnel with one of my servers (192.168.1.?) using 192.168.96.48 connecting over VPN to 192.168.96.101 & 102.

In the ASA this is simple but I am not sure how to do this on the ISR.

Jon Marshall · ‎12-19-2014

No problem.

Your last configuration is basically there ie.

access-list 101 permit ip 192.168.1.x 192.168.96.101

access-list 101 permit ip 192.168.1.x 192.168.96.102

route-map vpn_nat permit 10

match ip address 101

ip nat inside source static 192.168.1.x 192.168.96.48 route-map vpn_nat

Can try the above and see if it works.

Jon