2 Replies Latest reply: Aug 16, 2011 10:22 AM by Ross RSS

    ASA site to site VPN tunnel




      Can someone please help me clarify the following?


      1. for a site to site VPN tunnel between two ASAs, does the NAT 0 statement have to exactly match on both sides? For example, the access list for NAT 0 on on ASA-A states: (where is the network on this side, which needs to talk to on the other side through this tunnel)


      access-list inside_nat0_outbound extended permit ip


      and the access list for NAT 0 on ASA-B for this same tunnel states: (where is the network on this side)


      acces-list inside_nat0_outbound extended permit


      Will this work? shouldn't ASA-A have the mirror image of ASA-B's NAT0 statement?



      2.  For the above mentioned VPN tunnel, let's say the option 'enable inbound ipsec session to bypass interface access list' is enabled on both ASAs. Then, if machine-A (IP -, behind ASA-A) initiates traffic to machine -B (IP - behind ASA-B), I assume this traffic will traverse the tunnel just fine by passing all interface acess lists.


      But what about the return traffic for this session, from machine -B to machine -A? That will reach back ASA-A and because it is an 'inbound' IPSec session as far ASA-A is concerned, it bypasses the interface access lists (if any) and everything works just fine. Is this how this option works?


      What about the sitiation when machine-A initiates a traffic to an IP address on the other side (which is on VLAN-2) which then gets NAT'd to an IP in a different VLAN  (VLAN-3), both VLANs defined on the ASA? In such a case will the access-lists on the ASA between between VLAN-2 and VLAN3 come into play or will that also be bypassed as the result of the above mentioned option?


      Thank you!