10-09-2009 02:07 AM
Hi,
Having a doubts in Site to site VPN,
I have 3 customer, cust1--- cust2 ---- cust3,
the private ip address is ,
Cust1 ---- 10.2.2.0 (PIX)
Cust2 ---- 10.10.10.0 (Checkpoing Nokia)
Cust3 ---- 10.2.2.0 (ASA)
connectivity is Cust1 ---- Cust2 ---- Cust3
| | |
10.2.2.0 10.10.10.0 10.2.2.0
I want to achive a site to site VPN tunnel between Cust1 -- Cust2 & also Cust2 -- Cust3 . But, here the cust1 and cust3 having a same private ip address range. So, when establishing a VPN tunnel in Cust2 with cust2 to cust1 & cust2 to cust 3, there will be a confict between the 10.2.2.0 series range.
HEre is the config what i have done in the pix(Cust1)
static (inside,outside) 10.2.3.0 access-list TICTAC
access-list TICTAC permit ip 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto ACL:
access-list crypto permit ip 10.2.3.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat permit ip host 10.2.2.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list nonat
show run | i global|nat|access-list
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
I am able to ping the cust2 private ip range through VPN, but unable to browse the internet in cust1
Note: Each cust having an individual internet.
Can anyone help me out. is there anything am missing
Regards,
Manoj
10-09-2009 05:51 AM
I would remove the nonat you have configured on the inside for the traffic that is going through. You want to nat the traffic as specified by your static.
PS. If you found this post helpful, please rate it.
10-09-2009 07:52 PM
Had Remove the nonat statement, nothing is happening:-(
10-10-2009 05:24 AM
Manoj you need to go step by step then. Figure out what is going on with the packet.
1) What is the packet source, and where is it destined?
2) When it hits the ASA's inside interface, does it hit any ACLs?
3) If no ACLs where does routing say it should go? Outside interface or another interface?
4) Is the packet supposed to be NAT'd? If yes, then are the NAT statements correct?
5) If its supposed to be encrypted after the NAT, are the crypto acl's correct and is crypto applied to the interface that the packet is supposed to be going out of.
6) What do the logs show?
11-05-2009 09:29 AM
Hello,
Any luch with your scenario; I ve the same problem and no sollution yet.
What I want to know if a packet reaches the router which is gonna be first? The NAT operation or it will get tunneled?
Regards,
Florin.
11-05-2009 09:37 AM
Nat will happen first. Why don't you post up more info about your problem...
11-05-2009 11:27 PM
Hi,
I have an ASA firewall tunneling it's behind 192.168.10.0/24 to a Checkpoint NGX. The trouble is that 192.168.10.0 already exists behind Checkpoint as a connected network.
Nevertheless my VPN has to connect 192.168.10.0/24 with 192.168.16.0/24.
So I concluded NAT is needed only on ASA side, right?
The VPN got up immediately, still I don't have connectivity between sites.
I attached the specific config on ASA; please mention show crypto ipsec sa shows only decrypted packages but no encrypted ones!
What have I missed?
Regards,
Florin.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: