Solved

site-to-site VPN with static NAT and dynamic NAT

Posted on 2007-04-03
13
1,902 Views
Last Modified: 2007-11-27
I am using a Cisco ASA 5520 with three site-to-site VPN using ACL nonat and nat (inside) 0 access-list nonat. see below
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.249.0 255.255.255.0
nat (inside) 0 access-list nonat
!
!
I now have to create a new VPN but this time, the other party wants us to use static entries and to NAT our internal IP addresses to a range that they gave us. I was thinking of adding the following to my existing configuration:
access-list policy_nat permit ip 10.75.225.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list vpn_static permit 10.75.225.0 255.255.255.0 10.1.16.0 255.255.255.0
static (inside,outside) 10.74.110.0 access-list policy_nat

Would this work?

0
Comment
Question by:tshi5791
  • 7
  • 5
13 Comments
 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
No that won't work.  
If I understand you correctly, you need to create a VPN from your site to another site, and translate your internal address to addresses that the remote site wants you to use.

To do this you will need to create conditional nat statements for your internal address that are going to be used on the vpn.  The nat will take place before the tunnel, therefore the nonat access-list will need to have the new addresses added to it.
For example.
Internal Addresses:   10.75.225.0  
VPN nat to addresses:   172.16.225.0  (addresses provided by other side of vpn)
! add line to nonat to handle new addresses in vpn
! where x.x.x.x and y.y.y.y are the network and subnet on the other side of the vpn
access-list nonat permit ip 172.16.225.0 255.255.255.0  x.x.x.x y.y.y.y
!
! then you will need to create the address translations
! this part will need to be done on a 1-1 address translation basis
access-list vpntrans1 permit ip host 10.75.225.1 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.1 access-list vpntrans1
!
access-list vpntrans1 permit ip host 10.75.225.2 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.2 access-list vpntrans1
!
! etc, etc.  

The asa config will bark a little about the overlap (if these addresses are also used in your global for internet access), however the configuration works.

When you build the vpn and security associations remember that you will be peering the nat'd addresses with their addresses.   ie   permit ip 172.16.225.0 255.255.255.0 x.x.x.x y.y.y.y


Hope that helps.

!


0
 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
sorry... little to quick on my copy / paste...
should read:

--- snip ---
! this part will need to be done on a 1-1 address translation basis
access-list vpntrans1 permit ip host 10.75.225.1 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.1 access-list vpntrans1
!
access-list vpntrans2 permit ip host 10.75.225.2 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.2 access-list vpntrans2
!
!etc etc
0
 

Author Comment

by:tshi5791
Comment Utility
Sorenson,
Thanks for the quick reply. Below is the configuration that I intend to add my ASA. You will notice an access-list for GRE, that is for a router on the inside network with a tunnel that is used with the VPN. Basically I am moving the VPN from a router to the ASA.

access-list nonat 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0


access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC4 permit ip host 10.74.0.110 10.74.254.1 255.255.255.255


static (inside,outside) 10.74.110.111 access-list ClientVPNSTATIC1
static (inside,outside) 10.74.110.108 access-list ClientVPNSTATIC2
static (inside,outside) 10.74.110.101 access-list ClientVPNSTATIC3


access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any

crypto ipsec transform-set AllVPNs esp-3des esp-md5-hmac

crypto map ClientVPN 50 match address exc_cert_dev
crypto map ClientVPN 50 set peer x.x.x.x
crypto map ClientVPN 50 set transform-set ALLVPNs

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
0
 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
I am not sure I understand.  

Can you digram it out for me?
the access-lists that you posted above are not correct for the conditional nats.
There should be only 1 acl line per nat, and the acl lines above to not make sense, the last ip addresses and netmasks are all run together.


0
 

Author Comment

by:tshi5791
Comment Utility
Sorry I made a typo earlier and my copy paste during the writing of the configuration messed me up. Here is how it is:

access-list nonat 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0


access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC4 permit ip host 10.74.0.110 10.74.254.1 255.255.255.255


static (inside,outside) 10.74.110.111 access-list ClientVPNSTATIC1
static (inside,outside) 10.74.110.108 access-list ClientVPNSTATIC2
static (inside,outside) 10.74.110.101 access-list ClientVPNSTATIC3


access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any

crypto ipsec transform-set AllVPNs esp-3des esp-md5-hmac

crypto map ClientVPN 50 match address exc_cert_dev
crypto map ClientVPN 50 set peer x.x.x.x
crypto map ClientVPN 50 set transform-set ALLVPNs

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
0
 

Author Comment

by:tshi5791
Comment Utility
Our Inside Network: 10.75.225.0/24 and 10.0.1.0/24
IP addresses provided by third party for NATTING: 10.74.110.0/24
Third party LAN: 10.1.16.0/24, 10.1.56.0/24 and 10.1.63.0/24

We need to access their LANs using the NATTED IP range provided.

Thanks,
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Accepted Solution

by:
Sorenson earned 250 total points
Comment Utility
I am not sure I understand this access-list.  Is this the interesting traffic for the new vpn?
!
access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any
!

shouldn't it be:
!
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0
!

also, for all of the access-lists it may be easier to create an object group...
ie:
!
object-group network CompanyB
  network-object 10.1.16.0 255.255.255.0
  network-object 10.1.56.0 255.255.255.0
  network-object 10.1.63.0 255.255.255.0
!
! then the ACL could be shortened to 1 line
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 object-group CompanyB
!  (same for all other places you have the 3 networks), easier to update as well, as you just update the object group to remove or add networks, and all of the other spots are update.



0
 

Author Comment

by:tshi5791
Comment Utility
Another oversight on my part. I don't know how I came up with that 172.16.225.x
However, the ACL with the GRE is to allow a router in the inside network to receive multicast traffic. I might  need to add 10.74.254.1 to the object group as well.

I will try that and let u know...thanks
 
0
 

Author Comment

by:tshi5791
Comment Utility
Hi Sorenson:

I have yet to make the changes...but what book(s) out there would you recommend?  I looked all over for this type of suggestions on line but came up empty.

Regards,
0
 

Author Comment

by:tshi5791
Comment Utility
Thanks for all your help
0
 
LVL 10

Expert Comment

by:Sorenson
Comment Utility
I found this solution after opening a case with Cisco a year ago, with a similar situation.  I am out of the office until monday, but will check for book titles.
0
 

Author Comment

by:tshi5791
Comment Utility
Thanks. Looking forward to that info.
0
 

Expert Comment

by:mefenix211
Comment Utility
Sorenson if you are available I am in desperate need of you help! My job is on the line here.  Please take a look at my question at:  I'm completely lost!

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_25367685.html
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now