Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
1
Replies

Policy Nat VPN question

smolz
Level 4
Level 4

‎08-28-2009 05:47 AM

I have a VPN tunnel with the following configuration:

access-list DMZ_nat_static extended permit ip host [actual DMZ IP] host [Remote IP]

access-list Outside_3_cryptomap extended permit ip host [one of my outside IP's] host [Remote IP]

static (DMZ,Outside) [one of my outside IP's] access-list DMZ_nat_static

crypto map Outside_map 3 match address Outside_3_cryptomap

crypto map Outside_map 3 set peer REMOTE GATEWAY IP

crypto map Outside_map 3 set transform-set ESP-3DES-MD5

tunnel-group REMOTE GATEWAY IP type ipsec-l2l

tunnel-group REMOTE GATEWAY IP ipsec-attributes

pre-shared-key *

I have the tunnel created but the remote user cannot connect to my host at the [one of my outside IP's]. So I guess my question is whether this should be working or am I missing something? I am wondering if the NAT that I have is one way or is it both?

Labels:
0 Helpful
1 Reply 1

julomban
Level 3
Level 3

‎08-28-2009 07:28 AM

Hi,

I am wondering why you are using a static for the VPN tunnel, it would be better if you create a NAT 0 from your local network going to the remote location. Example:

access-list VPN_NAT_0 permit ip host [actual DMZ host] host [remote IP]

nat (DMZ) 0 access-list VPN_NAT_0

Just take out the static and add the above commands, the access list is exactly the same as the one for the crypto map or should be like that.

I hope it helps

0 Helpful
Customers Also Viewed These Support Documents