Solved

Can we use an private IP address range on one side of the Site to Site VPN tunnel and a public IP address range on the other?

Posted on 2008-10-08
1
421 Views
Last Modified: 2010-10-05
I have setup a Site to Site VPN from my PIX to an ASA at a client side.  As you can see from the config below we are NATing our private LAN network addresses to Public addresses when sending traffic across the VPN tunnel.  This configuration works fine with other clients but they are also using public address on their end by NATing their private ips to public ips.   In this case the client is using private ip addresses and is not NATing to public when sending traffic over the VPN tunnel.  From what I can see the VPN tunnel comes up successfully when we generate interesting traffic but we never get any reply/responses from any of the hosts on their end.  Is this because we are going from Public to private IP address?  Or is there a routing problem on there end.  
object-group network OtherSideHosts 
  network-object 172.30.X.1 255.255.255.255 
  network-object 172.30.X.2 255.255.255.255 
  network-object 172.28.X.X 255.255.255.224 
 
access-list acl_out permit icmp any any 
 
access-list MISSNAT01 permit ip host 10.1.0.13 object-group OtherSideHosts 
access-list MISSNAT02 permit ip host 10.1.0.14 object-group OtherSideHosts 
access-list MISSNAT03 permit ip host 10.1.0.24 object-group OtherSideHosts 
access-list MISSNAT04 permit ip host 10.2.0.12 object-group OtherSideHosts 
 
access-list VPN permit ip host 77.77.77.157 object-group OtherSideHosts 
access-list VPN permit ip host 77.77.77.158 object-group OtherSideHosts 
access-list VPN permit ip host 77.77.77.159 object-group OtherSideHosts 
access-list VPN permit ip host 77.77.77.160 object-group OtherSideHosts 
 
access-list acl_intf4 permit ip 10.4.0.0 255.255.0.0 any 
access-list acl_intf2 permit ip 10.2.0.0 255.255.0.0 any 
access-list acl_intf3 permit ip 10.3.0.0 255.255.0.0 any 
 
ip address outside 77.77.77.150 255.255.255.X
ip address inside 10.1.0.1 255.255.0.0
ip address intf2 10.2.0.1 255.255.0.0
ip address intf3 10.3.0.1 255.255.0.0
ip address intf4 10.4.0.1 255.255.0.0
ip address stateful 10.5.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
 
global (outside) 1 77.77.77.179
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
nat (intf3) 1 0.0.0.0 0.0.0.0 0 0
nat (intf4) 1 0.0.0.0 0.0.0.0 0 0
 
static (inside,intf2) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0 
static (inside,intf3) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0 
static (intf2,inside) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 
static (intf2,intf3) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 
static (intf3,inside) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 
static (intf3,intf2) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 
static (intf3,intf4) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 
static (intf4,intf3) 10.4.0.0 10.4.0.0 netmask 255.255.0.0 0 0 
 
static (inside,outside) 77.77.77.157 access-list MISSNAT01 0 0 
static (inside,outside) 77.77.77.158 access-list MISSNAT02 0 0 
static (inside,outside) 77.77.77.159 access-list MISSNAT03 0 0 
static (intf2,outside) 77.77.77.160 access-list MISSNAT04 0 0 
 
access-group acl_out in interface outside
access-group acl_intf2 in interface intf2
access-group acl_intf3 in interface intf3
access-group acl_intf4 in interface intf4
 
 
route outside 0.0.0.0 0.0.0.0 77.77.77.119 1
 
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address VPN
crypto map newmap 20 set peer 94.X.X.2
crypto map newmap 20 set transform-set ESP-3DES-SHA
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 94.X.X.2 netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Open in new window

0
Comment
Question by:CeLLuS
1 Comment
 

Accepted Solution

by:
CeLLuS earned 0 total points
ID: 22671139
Apparently you can, the other side was missing an exclude nat command for traffic from their hosts.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question