Solved

Can we use an private IP address range on one side of the Site to Site VPN tunnel and a public IP address range on the other?

Posted on 2008-10-08
1
420 Views
Last Modified: 2010-10-05
I have setup a Site to Site VPN from my PIX to an ASA at a client side.  As you can see from the config below we are NATing our private LAN network addresses to Public addresses when sending traffic across the VPN tunnel.  This configuration works fine with other clients but they are also using public address on their end by NATing their private ips to public ips.   In this case the client is using private ip addresses and is not NATing to public when sending traffic over the VPN tunnel.  From what I can see the VPN tunnel comes up successfully when we generate interesting traffic but we never get any reply/responses from any of the hosts on their end.  Is this because we are going from Public to private IP address?  Or is there a routing problem on there end.  
object-group network OtherSideHosts 
  network-object 172.30.X.1 255.255.255.255 
  network-object 172.30.X.2 255.255.255.255 
  network-object 172.28.X.X 255.255.255.224 
 
access-list acl_out permit icmp any any 
 
access-list MISSNAT01 permit ip host 10.1.0.13 object-group OtherSideHosts 
access-list MISSNAT02 permit ip host 10.1.0.14 object-group OtherSideHosts 
access-list MISSNAT03 permit ip host 10.1.0.24 object-group OtherSideHosts 
access-list MISSNAT04 permit ip host 10.2.0.12 object-group OtherSideHosts 
 
access-list VPN permit ip host 77.77.77.157 object-group OtherSideHosts 
access-list VPN permit ip host 77.77.77.158 object-group OtherSideHosts 
access-list VPN permit ip host 77.77.77.159 object-group OtherSideHosts 
access-list VPN permit ip host 77.77.77.160 object-group OtherSideHosts 
 
access-list acl_intf4 permit ip 10.4.0.0 255.255.0.0 any 
access-list acl_intf2 permit ip 10.2.0.0 255.255.0.0 any 
access-list acl_intf3 permit ip 10.3.0.0 255.255.0.0 any 
 
ip address outside 77.77.77.150 255.255.255.X
ip address inside 10.1.0.1 255.255.0.0
ip address intf2 10.2.0.1 255.255.0.0
ip address intf3 10.3.0.1 255.255.0.0
ip address intf4 10.4.0.1 255.255.0.0
ip address stateful 10.5.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
 
global (outside) 1 77.77.77.179
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
nat (intf3) 1 0.0.0.0 0.0.0.0 0 0
nat (intf4) 1 0.0.0.0 0.0.0.0 0 0
 
static (inside,intf2) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0 
static (inside,intf3) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0 
static (intf2,inside) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 
static (intf2,intf3) 10.2.0.0 10.2.0.0 netmask 255.255.0.0 0 0 
static (intf3,inside) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 
static (intf3,intf2) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 
static (intf3,intf4) 10.3.0.0 10.3.0.0 netmask 255.255.0.0 0 0 
static (intf4,intf3) 10.4.0.0 10.4.0.0 netmask 255.255.0.0 0 0 
 
static (inside,outside) 77.77.77.157 access-list MISSNAT01 0 0 
static (inside,outside) 77.77.77.158 access-list MISSNAT02 0 0 
static (inside,outside) 77.77.77.159 access-list MISSNAT03 0 0 
static (intf2,outside) 77.77.77.160 access-list MISSNAT04 0 0 
 
access-group acl_out in interface outside
access-group acl_intf2 in interface intf2
access-group acl_intf3 in interface intf3
access-group acl_intf4 in interface intf4
 
 
route outside 0.0.0.0 0.0.0.0 77.77.77.119 1
 
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address VPN
crypto map newmap 20 set peer 94.X.X.2
crypto map newmap 20 set transform-set ESP-3DES-SHA
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 94.X.X.2 netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Open in new window

0
Comment
Question by:CeLLuS
1 Comment
 

Accepted Solution

by:
CeLLuS earned 0 total points
ID: 22671139
Apparently you can, the other side was missing an exclude nat command for traffic from their hosts.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question