03-19-2012 11:23 AM
I am going to be setting up a site-to-site VPN connection between 2 locations. Site A is local and site B is remote. Site B is another company that will be running software on a server at Site A. I do not have access to any of the equipment at site B.
Here is the issue....Site B has multiple VPN tunnels with other customers of thiers. One of their existing tunnels is already configured using the same subent as Site A. So, they cannot use the same subnet for our VPN setup. The Site A subnet is 192.168.11.0/24 and cannot be changed due to some equipment that is hard coded with the IP information. So, Site B wants to use 10.133.6.0/32. I need to translate the 10.133.6.0/32 to my local so traffic can cross the VPN. Ultimately, the server is the only thing that needs to traverse the tunnel. It's IP is 192.168.11.55.
I have a Cisco ASA 5505 and I am using the ASDM to configure the tunnel.
Any help would be appreciated.
Thanks
Mike
Solved! Go to Solution.
03-19-2012 11:56 AM
Hello Mike,
Ok so here is what you need:
access-list whatever permit ip 192.168.11.0 255.255.255.0 site_b_subnet 255.255.255.0
nat (inside) 11 access-list whatever
global (inside) 11 10.133.6.0 255.255.255.0
Now on the crypto ACL for the VPN traffic between site A and Site B
access-list VPN_whatever permit ip 10.133.6.0 255.255.255.0 site_b_subnet 255.255.255.0
That's all you need on site A! On site B all you need to do is to configure the crypto ACL with the
10.133.6.0 subnet.
access-list VPN_whatever permit ip site_b_subnet 255.255.255.0 10.133.6.0 255.255.255.0
That's it!
Let me know if you have any other question,
Do rate all the helpful posts
Julio
Security Engineer
03-19-2012 11:39 AM
Hello Mike,
I can help you, but I will use CLI commands as its so much faster and easier for troubleshooting purposes.
All you need is to do is to change some of the Nat configuration and Crypto ACL on the Site A.
What version are you running on the ASA on site A?
Regards,
Julio
03-19-2012 11:51 AM
Thanks Julio,
I am running Version 8.2
Thanks
Mike
03-19-2012 11:56 AM
Hello Mike,
Ok so here is what you need:
access-list whatever permit ip 192.168.11.0 255.255.255.0 site_b_subnet 255.255.255.0
nat (inside) 11 access-list whatever
global (inside) 11 10.133.6.0 255.255.255.0
Now on the crypto ACL for the VPN traffic between site A and Site B
access-list VPN_whatever permit ip 10.133.6.0 255.255.255.0 site_b_subnet 255.255.255.0
That's all you need on site A! On site B all you need to do is to configure the crypto ACL with the
10.133.6.0 subnet.
access-list VPN_whatever permit ip site_b_subnet 255.255.255.0 10.133.6.0 255.255.255.0
That's it!
Let me know if you have any other question,
Do rate all the helpful posts
Julio
Security Engineer
03-20-2012 01:05 AM
Im not seeing any nat exemption from site A to site B.Is it possible to send traffic across the tunnel without nat exemption?
03-20-2012 12:36 PM
Hello Zill,
In deed as we want to nat the Site A network to something different, in this particular case the no nat configuration is not requried as we will not use it.
Let me know if this is clear enough or if I can do something else to help.
Regards,
Julio
Do rate all the helpful posts
03-20-2012 07:28 AM
Thanks Julio,
I have entered most of the above commands. However, I am not sure what to put for the VPN_whatever name. Is this the name of the crypto map? or the tunnel group?
Sorry for the noob questions. Just trying to get a handle on all of this.
Thanks for all your help.
Mike
03-20-2012 12:35 PM
Hello Mike,
Do not worry, the whatever means you can name the access-list whatever you want.Lol
I mean call it on a way that will be easy to understand is used to the Policy nat and the VPN.
Lets call it VPN_ACL.
Do rate all the helpful posts
Julio
03-21-2012 07:57 AM
Thanks for all your help Julio. The tunnel is up and running!
I ended up not needing the global (inside) or NAT (inside) as we ended up doing a static IP to IP route so traffic only goes between 2 IP addresses instead of being wide open.
Other than that, what you gave me worked and made more sense once it was in place and I started running packet traces to test.
Thanks again!!
Mike
03-21-2012 11:22 AM
Hello Mike,
My pleasure.
Have a great day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide