Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions


1897 Views 2 Replies Latest reply: Aug 16, 2011 10:22 AM by Ross RSS

Currently Being Moderated

ASA site to site VPN tunnel

Aug 14, 2011 8:39 PM

Ross 44 posts since
Oct 22, 2009



Can someone please help me clarify the following?


1. for a site to site VPN tunnel between two ASAs, does the NAT 0 statement have to exactly match on both sides? For example, the access list for NAT 0 on on ASA-A states: (where is the network on this side, which needs to talk to on the other side through this tunnel)


access-list inside_nat0_outbound extended permit ip


and the access list for NAT 0 on ASA-B for this same tunnel states: (where is the network on this side)


acces-list inside_nat0_outbound extended permit


Will this work? shouldn't ASA-A have the mirror image of ASA-B's NAT0 statement?



2.  For the above mentioned VPN tunnel, let's say the option 'enable inbound ipsec session to bypass interface access list' is enabled on both ASAs. Then, if machine-A (IP -, behind ASA-A) initiates traffic to machine -B (IP - behind ASA-B), I assume this traffic will traverse the tunnel just fine by passing all interface acess lists.


But what about the return traffic for this session, from machine -B to machine -A? That will reach back ASA-A and because it is an 'inbound' IPSec session as far ASA-A is concerned, it bypasses the interface access lists (if any) and everything works just fine. Is this how this option works?


What about the sitiation when machine-A initiates a traffic to an IP address on the other side (which is on VLAN-2) which then gets NAT'd to an IP in a different VLAN  (VLAN-3), both VLANs defined on the ASA? In such a case will the access-lists on the ASA between between VLAN-2 and VLAN3 come into play or will that also be bypassed as the result of the above mentioned option?


Thank you!

  • Keith Barker - CCIE RS/Security, CISSP 5,327 posts since
    Jul 3, 2009
    Currently Being Moderated
    1. Aug 14, 2011 9:22 PM (in response to Ross)
    Re: ASA site to site VPN tunnel

    Hello Ross-


    Your NAT 0 at site 1, should mirror your crypto ACLs at site 1.


    Same rules for site 2.


    Normally, we won't NAT the traffic between the 2 sites through the tunnel.


    Following the above NAT 0 guidelines will prevent the NAT from operating on packets going over the tunnel.




    Join this discussion now: Login / Register


More Like This

  • Retrieving data ...

Bookmarked By (0)