For When You Can't Have The Real Thing
[ start | index | login ]
start > Cisco > ASA > 8.2 > Site to Site VPN with NAT

Site to Site VPN with NAT

Created by dave. Last edited by dave, 11 years and 13 days ago. Viewed 7,668 times. #3
[diff] [history] [edit] [rdf]
labels
attachments
(2013 March 8)

Problem

Setting up a site-to-site VPN using your shiny ASA running 8.2.

Your peer has a bunch of remote networks for you to connect to, and wants you to NAT all traffic from your end to a particular source IP.

Note that your partner will not be able to connect to systems on your end with this set up, further NAT exploration is required.

(This is the same as the Netscreen Multiple Proxy IDs problem.)

Solution

Note: This isn't the order that a show run will show it to you. I did it this way because it makes more sense to me to see things defined before they get used. ASA be crazy, yo.

Also you probably want to beware of this whole page. I'm a ScreenOS/JunOS admin, not an ASA herder, so it's quite probable that parts of this are just wrong.

Oh, and special love for Cisco, who changed everything in ASA between 8.2 and 8.3, making Googling for help virtually impossible. Thanks guys. >love<

! You have to do these things once per ASA, not once per VPN
!
! Enable ISAKMP
crypto isakmp enable outside
!
! Associate the outside_map with the (ahem) outside
crypto map outside_map interface outside
!
! Everything under here is specific to our example VPN
! 
! These rules permit traffic into the NAT rule
access-list PARTNER-POLICY-NAT extended permit ip 172.31.99.0 255.255.255.0 100.100.0.0 255.255.240.0 
access-list PARTNER-POLICY-NAT extended permit ip 172.31.99.0 255.255.255.0 100.110.0.0 255.255.192.0 
access-list PARTNER-POLICY-NAT extended permit ip 172.31.99.0 255.255.255.0 10.110.0.0 255.255.0.0 
access-list PARTNER-POLICY-NAT extended permit ip 172.31.99.0 255.255.255.0 host 10.11.0.1 
access-list PARTNER-POLICY-NAT extended permit ip 172.31.99.0 255.255.255.0 host 10.11.0.2 
!
! These rules permit NAT'd traffic across the VPN
!  These rules are your Proxy-IDs
access-list PARTNER-VPN extended permit ip 99.100.123.128 255.255.255.192 100.100.0.0 255.255.240.0 
access-list PARTNER-VPN extended permit ip 99.100.123.128 255.255.255.192 100.110.0.0 255.255.192.0 
access-list PARTNER-VPN extended permit ip 99.100.123.128 255.255.255.192 10.110.0.0 255.255.0.0 
access-list PARTNER-VPN extended permit ip 99.100.123.128 255.255.255.192 host 10.11.0.1 
access-list PARTNER-VPN extended permit ip 99.100.123.128 255.255.255.192 host 10.11.0.2 
!
! This is our remote gateway
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
  pre-shared-key MySecretKey
!
! This is a Phase-1 handshake we'll accept.
!  I think if you define this here, the ASA will accept a policy of this type for any 
!  prospective VPN connection.
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
!
! This is a Phase-2 handshake
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
! This associates a Phase-2 with a gateway
!  The "10" below is an integer identification of a particular map
!  to group all the parameters together.  This does NOT have to match
!  the isakmp policy ID.  I just do it this way because it makes more
!  sense to me that way.
crypto map outside_map 10 set peer 192.168.0.12
crypto map outside_map 10 set transform-set ESP-3DES-MD5
! Use the previously-defined access list to permit traffic through the VPN
crypto map PARTNER-VPN 10 match address PARTNER-VPN
!
! NAT rule for VPN traffic
nat (inside) 100 access-list PARTNER-POLICY-NAT
global (outside) 100 99.100.123.129

If you didn't want to do NAT across the VPN, you'd use NAT policy 0, which appears to be the no-nat excemption rule. So do this instead:

! Use the previously-defined access list to permit traffic through the VPN
crypto map PARTNER-POLICY-NAT 10 match address PARTNER-POLICY-NAT
! No-NAT for VPN traffic
nat (inside) 0 access-list PARTNER-POLICY-NAT
...although naturally you'd rename the PARTNER-POLICY-NAT access list accordingly. But as a side-effect, the partner would be able to access systems on your end through the VPN.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt