Ok so static routes to the next hop IP addresses is understood but what I don't understand is the crypto ACL and no NAT ACL you mentioned.  Can you explain a little further please?

What verion of your ASA?

Have you done, s2s land to land to vpan before?  Just to understand level of understand you have, so that  I will reply accordingly.

thanks

Yes sorry, I should've been more clear in my last response.  I'm just confused on how its worded.  It's ASA version 8.4; I have done S2S L2L tunneling before using this version of the software.  From what I'm thinking about what you're saying is that I need to create an ACL for the interesting traffic and a no NAT ACL for that same interesting traffic then create static routes to the destinations.  Is that correct?

Ok I think I get what you're saying.  So I would set the peer address for the tunnel to be Vendor1's outside IP and Vendor1 would set their peer address to be my outside IP.  Then when I specify the ACLs for the interesting traffic and no NAT, I would list Vendor1 and Vendor2 as the subnets instead of my actual local LAN subnet.  Is this what you're saying?

Yes that is correct.

Ok great!  One last thing...when I specify my network objects if its only a single host that needs to communicate between these two vendors, then I just specify the "host" parameter for the object instead of the "subnet" parameter, correct?

Thank you sir!  Your help is greatly appreciated!

Hi Terence,

"Vendor2's IP address is a public IP that will be Natted by their firewall."

"Vendor2 is currently connected to us via a WAN link where we route to their WAN router from our Layer 3 switches."

Hi Terence,

I see, two of your statements above are kind of conflicting info.

So, please answer me, above.

Does Vendor2's public IP is being routed via the public cloud (i.e. internet) via your Firewall or via the WAN router?

I will answer your questions, when you answer mine.

Thanks

Rizwan Rafeek

Perhaps my wording is a bit confusing but to put it correctly, Vendor2 has a router/layer 3 device that has a route to one of our VLAN subnets.  Somewhere behind this router, this vendor has public IP space and we have a bunch of static routes for these public IPs that routes back to this vendor through that WAN link.  I don't know how this vendors network is setup but I would imagine that it goes through a firewall/router that NATs incoming requests on one of those public IPs.

Hi Terence,

This is all you need.

object network

host

object network

host <--!!!Public IP that will be Natted to an inside IP!!!-->

access-list extended permit tcp host  host eq

nat (inside,any) source static destination static

route inside

You  are correct with your script and be sure to infom the Vendor1 to  include your vendor2's ip host address in the tunnel between your ASA  and their tunnel end point.

thanks

Rizwan Rafeek

Let me know, how it is coming alone.

Message was edited by: Rizwan Mohamed