I'm not terribly familiar with VPN setups, enough to be dangerous.
I have a client who is needing a VPN connected to a third party but they (the third party) are providing me with an IP address of theirs to use for Nat-ed traffic from their network to a database server on my side behind the ASA. The issue I'm having is when the tunnel is created and the static NAT statement is in place for the database server on the ASA, I lose all connectivity to it. In reality, I'm told I only need TCP port 9900 for it to work but when I limit it to that port alone, the tunnel dies. I'm posting my config and changing the IPs for privacy. If anyone can help I'd be very appreciative.
This is the working config, the tunnel establishes but kills the DBSERVER's connection to the Internet.
object network <IP_GIVEN_TO_ME>
host 172.x.x.x
object network DBSERVER
host 10.0.0.x
object-group network <HOST_IPS_ON_REMOTE_SIDE>
network-object host 192.168.0.1
network-object host 192.168.0.2
access-list outside_cryptomap extended permit ip object IP_GIVEN_TO_ME object-group HOST_IPS_ON_REMOTE_SIDE
object network DBSERVER
nat (any,any) static IP_GIVEN_TO_ME (172.x.x.x)
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer <REMOTE_PEER_IP>
crypto map outside_map 2 set ikev1 transform-set ESP-AES-256-SHA
group-policy GroupPolicy_ <REMOTE_PEER_IP> internal
group-policy GroupPolicy_ <REMOTE_PEER_IP> attributes
vpn-tunnel-protocol ikev1
tunnel-group <REMOTE_PEER_IP> type ipsec-l2l
tunnel-group <REMOTE_PEER_IP> general-attributes
default-group-policy GroupPolicy_<REMOTE_PEER_IP>
tunnel-group <REMOTE_PEER_IP> ipsec-attributes
ikev1 pre-shared-key *****
When I make the following change, the tunnel drops and I regain Inet to the DBSERVER:
object network DBSERVER
nat (any,any) static 172.x.x.x
to
object network DBSERVER
nat (any,any) static IP_GIVEN_TO_ME (172.x.x.x) service tcp 9900 9900
How do I get the right traffic to the tunnel but retain Inet to the DBSERVER?
