Solved

Can we use an private IP address range on one side of the Site to Site VPN tunnel and a public IP address range on the other?

Posted on 2008-10-08
1
419 Views
Last Modified: 2010-10-05
I have setup a Site to Site VPN from my PIX to an ASA at a client side.  As you can see from the config below we are NATing our private LAN network addresses to Public addresses when sending traffic across the VPN tunnel.  This configuration works fine with other clients but they are also using public address on their end by NATing their private ips to public ips.   In this case the client is using private ip addresses and is not NATing to public when sending traffic over the VPN tunnel.  From what I can see the VPN tunnel comes up successfully when we generate interesting traffic but we never get any reply/responses from any of the hosts on their end.  Is this because we are going from Public to private IP address?  Or is there a routing problem on there end.  
object-group network OtherSideHosts 

  network-object 172.30.X.1 255.255.255.255 

  network-object 172.30.X.2 255.255.255.255 

  network-object 172.28.X.X 255.255.255.224 
 

access-list acl_out permit icmp any any 

 

access-list MISSNAT01 permit ip host 10.1.0.13 object-group OtherSideHosts 

access-list MISSNAT02 permit ip host 10.1.0.14 object-group OtherSideHosts 

access-list MISSNAT03 permit ip host 10.1.0.24 object-group OtherSideHosts 

access-list MISSNAT04 permit ip host 10.2.0.12 object-group OtherSideHosts 
 

access-list VPN permit ip host 77.77.77.157 object-group OtherSideHosts 

access-list VPN permit ip host 77.77.77.158 object-group OtherSideHosts 

access-list VPN permit ip host 77.77.77.159 object-group OtherSideHosts 

access-list VPN permit ip host 77.77.77.160 object-group OtherSideHosts 
 

access-list acl_intf4 permit ip 10.4.0.0 255.255.0.0 any 

access-list acl_intf2 permit ip 10.2.0.0 255.255.0.0 any 

access-list acl_intf3 permit ip 10.3.0.0 255.255.0.0 any 
 

ip address outside 77.77.77.150 255.255.255.X

ip address inside 10.1.0.1 255.255.0.0

ip address intf2 10.2.0.1 255.255.0.0

ip address intf3 10.3.0.1 255.255.0.0

ip address intf4 10.4.0.1 255.255.0.0

ip address stateful 10.5.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm
 

global (outside) 1 77.77.77.179

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (intf2) 1 0.0.0.0 0.0.0.0 0 0

nat (intf3) 1 0.0.0.0 0.0.0.0 0 0

nat (intf4) 1 0.0.0.0 0.0.0.0 0 0
 

static (inside,intf2) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0 

static (inside,intf3) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0 

static (intf2,inside) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 

static (intf2,intf3) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 

static (intf3,inside) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 

static (intf3,intf2) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 

static (intf3,intf4) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 

static (intf4,intf3) 10.4.0.0 10.4.0.0 netmask 255.255.0.0 0 0 
 

static (inside,outside) 77.77.77.157 access-list MISSNAT01 0 0 

static (inside,outside) 77.77.77.158 access-list MISSNAT02 0 0 

static (inside,outside) 77.77.77.159 access-list MISSNAT03 0 0 

static (intf2,outside) 77.77.77.160 access-list MISSNAT04 0 0 
 

access-group acl_out in interface outside

access-group acl_intf2 in interface intf2

access-group acl_intf3 in interface intf3

access-group acl_intf4 in interface intf4
 
 

route outside 0.0.0.0 0.0.0.0 77.77.77.119 1
 

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address VPN

crypto map newmap 20 set peer 94.X.X.2

crypto map newmap 20 set transform-set ESP-3DES-SHA

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 94.X.X.2 netmask 255.255.255.255 

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Open in new window

0
Comment
Question by:CeLLuS
1 Comment
 

Accepted Solution

by:
CeLLuS earned 0 total points
Comment Utility
Apparently you can, the other side was missing an exclude nat command for traffic from their hosts.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now