Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

site-to-site VPN with static NAT and dynamic NAT

Posted on 2007-04-03
13
Medium Priority
?
1,924 Views
Last Modified: 2007-11-27
I am using a Cisco ASA 5520 with three site-to-site VPN using ACL nonat and nat (inside) 0 access-list nonat. see below
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.249.0 255.255.255.0
nat (inside) 0 access-list nonat
!
!
I now have to create a new VPN but this time, the other party wants us to use static entries and to NAT our internal IP addresses to a range that they gave us. I was thinking of adding the following to my existing configuration:
access-list policy_nat permit ip 10.75.225.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list vpn_static permit 10.75.225.0 255.255.255.0 10.1.16.0 255.255.255.0
static (inside,outside) 10.74.110.0 access-list policy_nat

Would this work?

0
Comment
Question by:tshi5791
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850041
No that won't work.  
If I understand you correctly, you need to create a VPN from your site to another site, and translate your internal address to addresses that the remote site wants you to use.

To do this you will need to create conditional nat statements for your internal address that are going to be used on the vpn.  The nat will take place before the tunnel, therefore the nonat access-list will need to have the new addresses added to it.
For example.
Internal Addresses:   10.75.225.0  
VPN nat to addresses:   172.16.225.0  (addresses provided by other side of vpn)
! add line to nonat to handle new addresses in vpn
! where x.x.x.x and y.y.y.y are the network and subnet on the other side of the vpn
access-list nonat permit ip 172.16.225.0 255.255.255.0  x.x.x.x y.y.y.y
!
! then you will need to create the address translations
! this part will need to be done on a 1-1 address translation basis
access-list vpntrans1 permit ip host 10.75.225.1 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.1 access-list vpntrans1
!
access-list vpntrans1 permit ip host 10.75.225.2 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.2 access-list vpntrans1
!
! etc, etc.  

The asa config will bark a little about the overlap (if these addresses are also used in your global for internet access), however the configuration works.

When you build the vpn and security associations remember that you will be peering the nat'd addresses with their addresses.   ie   permit ip 172.16.225.0 255.255.255.0 x.x.x.x y.y.y.y


Hope that helps.

!


0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850056
sorry... little to quick on my copy / paste...
should read:

--- snip ---
! this part will need to be done on a 1-1 address translation basis
access-list vpntrans1 permit ip host 10.75.225.1 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.1 access-list vpntrans1
!
access-list vpntrans2 permit ip host 10.75.225.2 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.2 access-list vpntrans2
!
!etc etc
0
 

Author Comment

by:tshi5791
ID: 18853554
Sorenson,
Thanks for the quick reply. Below is the configuration that I intend to add my ASA. You will notice an access-list for GRE, that is for a router on the inside network with a tunnel that is used with the VPN. Basically I am moving the VPN from a router to the ASA.

access-list nonat 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0


access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC4 permit ip host 10.74.0.110 10.74.254.1 255.255.255.255


static (inside,outside) 10.74.110.111 access-list ClientVPNSTATIC1
static (inside,outside) 10.74.110.108 access-list ClientVPNSTATIC2
static (inside,outside) 10.74.110.101 access-list ClientVPNSTATIC3


access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any

crypto ipsec transform-set AllVPNs esp-3des esp-md5-hmac

crypto map ClientVPN 50 match address exc_cert_dev
crypto map ClientVPN 50 set peer x.x.x.x
crypto map ClientVPN 50 set transform-set ALLVPNs

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 10

Expert Comment

by:Sorenson
ID: 18853656
I am not sure I understand.  

Can you digram it out for me?
the access-lists that you posted above are not correct for the conditional nats.
There should be only 1 acl line per nat, and the acl lines above to not make sense, the last ip addresses and netmasks are all run together.


0
 

Author Comment

by:tshi5791
ID: 18853694
Sorry I made a typo earlier and my copy paste during the writing of the configuration messed me up. Here is how it is:

access-list nonat 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0


access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC4 permit ip host 10.74.0.110 10.74.254.1 255.255.255.255


static (inside,outside) 10.74.110.111 access-list ClientVPNSTATIC1
static (inside,outside) 10.74.110.108 access-list ClientVPNSTATIC2
static (inside,outside) 10.74.110.101 access-list ClientVPNSTATIC3


access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any

crypto ipsec transform-set AllVPNs esp-3des esp-md5-hmac

crypto map ClientVPN 50 match address exc_cert_dev
crypto map ClientVPN 50 set peer x.x.x.x
crypto map ClientVPN 50 set transform-set ALLVPNs

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
0
 

Author Comment

by:tshi5791
ID: 18853966
Our Inside Network: 10.75.225.0/24 and 10.0.1.0/24
IP addresses provided by third party for NATTING: 10.74.110.0/24
Third party LAN: 10.1.16.0/24, 10.1.56.0/24 and 10.1.63.0/24

We need to access their LANs using the NATTED IP range provided.

Thanks,
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 1000 total points
ID: 18857091
I am not sure I understand this access-list.  Is this the interesting traffic for the new vpn?
!
access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any
!

shouldn't it be:
!
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0
!

also, for all of the access-lists it may be easier to create an object group...
ie:
!
object-group network CompanyB
  network-object 10.1.16.0 255.255.255.0
  network-object 10.1.56.0 255.255.255.0
  network-object 10.1.63.0 255.255.255.0
!
! then the ACL could be shortened to 1 line
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 object-group CompanyB
!  (same for all other places you have the 3 networks), easier to update as well, as you just update the object group to remove or add networks, and all of the other spots are update.



0
 

Author Comment

by:tshi5791
ID: 18857372
Another oversight on my part. I don't know how I came up with that 172.16.225.x
However, the ACL with the GRE is to allow a router in the inside network to receive multicast traffic. I might  need to add 10.74.254.1 to the object group as well.

I will try that and let u know...thanks
 
0
 

Author Comment

by:tshi5791
ID: 18860545
Hi Sorenson:

I have yet to make the changes...but what book(s) out there would you recommend?  I looked all over for this type of suggestions on line but came up empty.

Regards,
0
 

Author Comment

by:tshi5791
ID: 18881862
Thanks for all your help
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18899180
I found this solution after opening a case with Cisco a year ago, with a similar situation.  I am out of the office until monday, but will check for book titles.
0
 

Author Comment

by:tshi5791
ID: 18917277
Thanks. Looking forward to that info.
0
 

Expert Comment

by:mefenix211
ID: 27833809
Sorenson if you are available I am in desperate need of you help! My job is on the line here.  Please take a look at my question at:  I'm completely lost!

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_25367685.html
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question