Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1417
Views
0
Helpful
7
Replies

ASA Private local networks

Go to solution
Jonathancert_2
Level 1
Level 1

‎09-15-2014 10:28 AM

Is there any way to connect a l2l VPN without using public NATs when one of the sites contains private IP's (ie 10's, 172's)?  I'm using a public NAT to route our private IP but distant end is not using a NAT.   My Cisco ASA is on ver 9.1(1)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jonathancert_2

‎09-15-2014 11:35 AM

So you are unable to get connectivity between the two encrypted domains. This is because of your route for 10.0.0.0/8 pointing to the inside on your ASA.  You need to either enter a route pointing to the outside for 10.111.40.208/28 or configure more specific routes for the inside networks.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marius Gunnerud
VIP
VIP

‎09-15-2014 10:40 AM

Not exactly sure what you are asking here.

But when doing a L2L VPN you do not want to NAT the local (private) IPs...normally.  So you would just set up a L2L VPN between your ASA and the remote site, make sure that both sides have crypto ACLs (that define traffic to be encrypted) that are the mirror image of eachother and have NAT statements that prevent the VPN traffic from being NATed.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jonathancert_2
Level 1
Level 1
In response to Marius Gunnerud

‎09-15-2014 11:22 AM

Hopefully i can clarify.

 

encrypt domain 10.120.1.141 --->Local ASA inside 10.120.1.1 --->Local ASA outside 72.30.40.1 <--->Remote ASA peer ip 129.70.32.4<---public NAT 129.70.32.50 <---encrypt domain 10.111.40.208 /28

 

I'm new at this ASA stuff, hope this doesn't confuse things.   The tunnel does come up when remote site initiates.   I have a  static route for all 10.0.0.0 /8 pointing inside on my ASA.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jonathancert_2

‎09-15-2014 11:35 AM

So you are unable to get connectivity between the two encrypted domains. This is because of your route for 10.0.0.0/8 pointing to the inside on your ASA.  You need to either enter a route pointing to the outside for 10.111.40.208/28 or configure more specific routes for the inside networks.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jonathancert_2
Level 1
Level 1
In response to Marius Gunnerud

‎09-15-2014 11:51 AM

Can't change the 10.0.0.0/8 route.   The possibilities of what that may impact is scary.  So you saying the other option is to add the 10.111.40.208/28 to my ASA routes?

 

route Outside 10.111.40.208 255.255.255.240 72.30.40.1 1

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jonathancert_2

‎09-15-2014 12:12 PM

Yes you would need to add that route.  Right now the ASA thinks that all 10.0.0.0 networks are located on the inside interface, so we need to tell the ASA that to reach 10.111.40.208/28 it needs to send traffic through the outside interface.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Jonathancert_2
Level 1
Level 1
In response to Marius Gunnerud

‎09-15-2014 12:14 PM

Thanks for your help.   Things are working now.

 

Jonathan,

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Jonathancert_2

‎09-15-2014 12:43 PM

Glad I could help and thanks for the rating.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents