Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA 5505 - site to site VPN and PAT IP

ASA 5505 - site to site VPN and PAT IP 7 years 2 months ago #31047

  • ck1
  • ck1's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Hello all, I am a little stumped and could use a hand!

Here is our network design
img190.imageshack.us/img190/1006/vpnconcept.jpg

I had a pretty good sample configuration of exactly what we want (LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX) here

www.cisco.com/en/US/products/ps6120/prod...186a0080950890.shtml

But the Main office IT group wants us to PAT our private IPs to a single IP (10.70.4.70) for the tunnel. How would I incorporate that with the above configuration? I tried several ways

nat (inside) 1 192.168.1.1 255.255.255.0
global (outside) 1 10.70.4.70

but then I couldn't figure out how to route to the internet from there. Also, I don't know if it's better to PAT to that IP all the time, or only for the tunnel.. is there a cost/benefit in performance?

Appreciate any help you can give!
The administrator has disabled public write access.

Re: ASA 5505 - site to site VPN and PAT IP 7 years 2 months ago #31052

  • ck1
  • ck1's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
hmm well i give up
The administrator has disabled public write access.

Re: ASA 5505 - site to site VPN and PAT IP 7 years 2 months ago #31119

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
[code:1]access-list vpn-nat permit ip 192.168.1.0 255.255.255.0 10.1.130.0 255.255.255.0
!
static (inside,outside) 10.70.4.70 access-list vpn-nat
!
access-list vpn-data permit ip host 10.70.4.70 10.1.130.0 255.255.255.0[/code:1]

Hope this helps :)

This way you can make your L2L tunnel and still have a connection to the internet since the destination addresses of the internet are out side of the private IP ranges.
I have to warn you tho. Using this setup might cause problems with the stability of the VPN.
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.
Time to create page: 0.074 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup