Solved

site-to-site VPN with static NAT and dynamic NAT

Posted on 2007-04-03
13
1,906 Views
Last Modified: 2007-11-27
I am using a Cisco ASA 5520 with three site-to-site VPN using ACL nonat and nat (inside) 0 access-list nonat. see below
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.249.0 255.255.255.0
nat (inside) 0 access-list nonat
!
!
I now have to create a new VPN but this time, the other party wants us to use static entries and to NAT our internal IP addresses to a range that they gave us. I was thinking of adding the following to my existing configuration:
access-list policy_nat permit ip 10.75.225.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list vpn_static permit 10.75.225.0 255.255.255.0 10.1.16.0 255.255.255.0
static (inside,outside) 10.74.110.0 access-list policy_nat

Would this work?

0
Comment
Question by:tshi5791
  • 7
  • 5
13 Comments
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850041
No that won't work.  
If I understand you correctly, you need to create a VPN from your site to another site, and translate your internal address to addresses that the remote site wants you to use.

To do this you will need to create conditional nat statements for your internal address that are going to be used on the vpn.  The nat will take place before the tunnel, therefore the nonat access-list will need to have the new addresses added to it.
For example.
Internal Addresses:   10.75.225.0  
VPN nat to addresses:   172.16.225.0  (addresses provided by other side of vpn)
! add line to nonat to handle new addresses in vpn
! where x.x.x.x and y.y.y.y are the network and subnet on the other side of the vpn
access-list nonat permit ip 172.16.225.0 255.255.255.0  x.x.x.x y.y.y.y
!
! then you will need to create the address translations
! this part will need to be done on a 1-1 address translation basis
access-list vpntrans1 permit ip host 10.75.225.1 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.1 access-list vpntrans1
!
access-list vpntrans1 permit ip host 10.75.225.2 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.2 access-list vpntrans1
!
! etc, etc.  

The asa config will bark a little about the overlap (if these addresses are also used in your global for internet access), however the configuration works.

When you build the vpn and security associations remember that you will be peering the nat'd addresses with their addresses.   ie   permit ip 172.16.225.0 255.255.255.0 x.x.x.x y.y.y.y


Hope that helps.

!


0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18850056
sorry... little to quick on my copy / paste...
should read:

--- snip ---
! this part will need to be done on a 1-1 address translation basis
access-list vpntrans1 permit ip host 10.75.225.1 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.1 access-list vpntrans1
!
access-list vpntrans2 permit ip host 10.75.225.2 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.2 access-list vpntrans2
!
!etc etc
0
 

Author Comment

by:tshi5791
ID: 18853554
Sorenson,
Thanks for the quick reply. Below is the configuration that I intend to add my ASA. You will notice an access-list for GRE, that is for a router on the inside network with a tunnel that is used with the VPN. Basically I am moving the VPN from a router to the ASA.

access-list nonat 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0


access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC4 permit ip host 10.74.0.110 10.74.254.1 255.255.255.255


static (inside,outside) 10.74.110.111 access-list ClientVPNSTATIC1
static (inside,outside) 10.74.110.108 access-list ClientVPNSTATIC2
static (inside,outside) 10.74.110.101 access-list ClientVPNSTATIC3


access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any

crypto ipsec transform-set AllVPNs esp-3des esp-md5-hmac

crypto map ClientVPN 50 match address exc_cert_dev
crypto map ClientVPN 50 set peer x.x.x.x
crypto map ClientVPN 50 set transform-set ALLVPNs

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 10

Expert Comment

by:Sorenson
ID: 18853656
I am not sure I understand.  

Can you digram it out for me?
the access-lists that you posted above are not correct for the conditional nats.
There should be only 1 acl line per nat, and the acl lines above to not make sense, the last ip addresses and netmasks are all run together.


0
 

Author Comment

by:tshi5791
ID: 18853694
Sorry I made a typo earlier and my copy paste during the writing of the configuration messed me up. Here is how it is:

access-list nonat 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0


access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC4 permit ip host 10.74.0.110 10.74.254.1 255.255.255.255


static (inside,outside) 10.74.110.111 access-list ClientVPNSTATIC1
static (inside,outside) 10.74.110.108 access-list ClientVPNSTATIC2
static (inside,outside) 10.74.110.101 access-list ClientVPNSTATIC3


access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any

crypto ipsec transform-set AllVPNs esp-3des esp-md5-hmac

crypto map ClientVPN 50 match address exc_cert_dev
crypto map ClientVPN 50 set peer x.x.x.x
crypto map ClientVPN 50 set transform-set ALLVPNs

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
0
 

Author Comment

by:tshi5791
ID: 18853966
Our Inside Network: 10.75.225.0/24 and 10.0.1.0/24
IP addresses provided by third party for NATTING: 10.74.110.0/24
Third party LAN: 10.1.16.0/24, 10.1.56.0/24 and 10.1.63.0/24

We need to access their LANs using the NATTED IP range provided.

Thanks,
0
 
LVL 10

Accepted Solution

by:
Sorenson earned 250 total points
ID: 18857091
I am not sure I understand this access-list.  Is this the interesting traffic for the new vpn?
!
access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any
!

shouldn't it be:
!
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0
!

also, for all of the access-lists it may be easier to create an object group...
ie:
!
object-group network CompanyB
  network-object 10.1.16.0 255.255.255.0
  network-object 10.1.56.0 255.255.255.0
  network-object 10.1.63.0 255.255.255.0
!
! then the ACL could be shortened to 1 line
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 object-group CompanyB
!  (same for all other places you have the 3 networks), easier to update as well, as you just update the object group to remove or add networks, and all of the other spots are update.



0
 

Author Comment

by:tshi5791
ID: 18857372
Another oversight on my part. I don't know how I came up with that 172.16.225.x
However, the ACL with the GRE is to allow a router in the inside network to receive multicast traffic. I might  need to add 10.74.254.1 to the object group as well.

I will try that and let u know...thanks
 
0
 

Author Comment

by:tshi5791
ID: 18860545
Hi Sorenson:

I have yet to make the changes...but what book(s) out there would you recommend?  I looked all over for this type of suggestions on line but came up empty.

Regards,
0
 

Author Comment

by:tshi5791
ID: 18881862
Thanks for all your help
0
 
LVL 10

Expert Comment

by:Sorenson
ID: 18899180
I found this solution after opening a case with Cisco a year ago, with a similar situation.  I am out of the office until monday, but will check for book titles.
0
 

Author Comment

by:tshi5791
ID: 18917277
Thanks. Looking forward to that info.
0
 

Expert Comment

by:mefenix211
ID: 27833809
Sorenson if you are available I am in desperate need of you help! My job is on the line here.  Please take a look at my question at:  I'm completely lost!

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_25367685.html
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question