Re: Site to site VPN tunnel with NAT from Alexei Monastyrnyi on 2009-07-01 (Ccielab archives 07/2009)

From: Alexei Monastyrnyi <alexeim73_at_gmail.com>
Date: Thu, 02 Jul 2009 10:02:40 +1000

Hi.

Let me tide up a bit of what you have posted. :-)

=== start of your config posted

access-list VPN1 line 1 extended permit ip any 10.240.20.0 255.255.255.0

nat (Inside) 2 access-list VPN1
global (Outside) 2 194.63.35.2

access-list Outside1cryptomap line 1 extended permit ip host 194.63.35.2
10.240.20.0 255.255.255.0

access-list Insidenat0outbound line 1 extended permit ip host
194.63.35.2 10.240.20.0 255.255.255.0
nat (Inside) 0 access-list Insidenat0outbound

==== end of your config posted

Did I get it right?

Now, you don't need this:
access-list Insidenat0outbound line 1 extended permit ip host
194.63.35.2 10.240.20.0 255.255.255.0
nat (Inside) 0 access-list Insidenat0outbound

Just wipe it out, you've already done NATting with nat/global sequence 2.

We don't see your crypto map part of a config, there might be half a
dozen of reasons why the tunnel doesn't come up. Please try to be more
specific here with both crypto map config and log/debug messages. The
setup is very basic. If you control both sides, you shouldn't have any
problems troubleshooting it. Please check PIX/ASA IPSec VPN examples
under Technology section of Cisco web-site, there is a great deal of
helpful scenarios out there.

HTH
A.

Tanuj Mathur wrote:
> Dear Group,I am trying to establish a Site to Site VPN tunnel between Cisco ASA and VPN concentrator. I am doing a NAT on Cisco ASA to translate the local lan address to a single /32 IP address.The source address used as interesting traffic for the VPN is this /32 address. There is a no nat statement for traffic from translated address to the destination subnet.Network Behind ASA : 192.168.10.0 /24accesslist VPN1 line 1 extended permit ip any 10.240.20.0 255.255.255.0nat (Inside) 2 accesslist VPN1global (Outside) 2 194.63.35.2accesslist Outside1cryptomap line 1 extended permit ip host 194.63.35.2 10.240.20.0 255.255.255.0accesslist Insidenat0outbound line 1 extended permit ip host 194.63.35.2 10.240.20.0 255.255.255.0 nat (Inside) 0 accesslist Insidenat0outboundThe tunnel is not coming up. Where did I go wrong?Any help will be highly appreciated.Regards,TanujDear ccielab ! Get Yourself a cool, short @in.com Email ID now!
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 02 2009 - 10:02:40 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:21 ART