• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1934
  • Last Modified:

site-to-site VPN with static NAT and dynamic NAT

I am using a Cisco ASA 5520 with three site-to-site VPN using ACL nonat and nat (inside) 0 access-list nonat. see below
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.249.0 255.255.255.0
nat (inside) 0 access-list nonat
!
!
I now have to create a new VPN but this time, the other party wants us to use static entries and to NAT our internal IP addresses to a range that they gave us. I was thinking of adding the following to my existing configuration:
access-list policy_nat permit ip 10.75.225.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list vpn_static permit 10.75.225.0 255.255.255.0 10.1.16.0 255.255.255.0
static (inside,outside) 10.74.110.0 access-list policy_nat

Would this work?

0
tshi5791
Asked:
tshi5791
  • 7
  • 5
1 Solution
 
SorensonCommented:
No that won't work.  
If I understand you correctly, you need to create a VPN from your site to another site, and translate your internal address to addresses that the remote site wants you to use.

To do this you will need to create conditional nat statements for your internal address that are going to be used on the vpn.  The nat will take place before the tunnel, therefore the nonat access-list will need to have the new addresses added to it.
For example.
Internal Addresses:   10.75.225.0  
VPN nat to addresses:   172.16.225.0  (addresses provided by other side of vpn)
! add line to nonat to handle new addresses in vpn
! where x.x.x.x and y.y.y.y are the network and subnet on the other side of the vpn
access-list nonat permit ip 172.16.225.0 255.255.255.0  x.x.x.x y.y.y.y
!
! then you will need to create the address translations
! this part will need to be done on a 1-1 address translation basis
access-list vpntrans1 permit ip host 10.75.225.1 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.1 access-list vpntrans1
!
access-list vpntrans1 permit ip host 10.75.225.2 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.2 access-list vpntrans1
!
! etc, etc.  

The asa config will bark a little about the overlap (if these addresses are also used in your global for internet access), however the configuration works.

When you build the vpn and security associations remember that you will be peering the nat'd addresses with their addresses.   ie   permit ip 172.16.225.0 255.255.255.0 x.x.x.x y.y.y.y


Hope that helps.

!


0
 
SorensonCommented:
sorry... little to quick on my copy / paste...
should read:

--- snip ---
! this part will need to be done on a 1-1 address translation basis
access-list vpntrans1 permit ip host 10.75.225.1 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.1 access-list vpntrans1
!
access-list vpntrans2 permit ip host 10.75.225.2 x.x.x.x y.y.y.y
static (inside,outside) 172.16.225.2 access-list vpntrans2
!
!etc etc
0
 
tshi5791Author Commented:
Sorenson,
Thanks for the quick reply. Below is the configuration that I intend to add my ASA. You will notice an access-list for GRE, that is for a router on the inside network with a tunnel that is used with the VPN. Basically I am moving the VPN from a router to the ASA.

access-list nonat 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0


access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.255.255.255.0
access-list ClientVPNSTATIC4 permit ip host 10.74.0.110 10.74.254.1 255.255.255.255


static (inside,outside) 10.74.110.111 access-list ClientVPNSTATIC1
static (inside,outside) 10.74.110.108 access-list ClientVPNSTATIC2
static (inside,outside) 10.74.110.101 access-list ClientVPNSTATIC3


access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any

crypto ipsec transform-set AllVPNs esp-3des esp-md5-hmac

crypto map ClientVPN 50 match address exc_cert_dev
crypto map ClientVPN 50 set peer x.x.x.x
crypto map ClientVPN 50 set transform-set ALLVPNs

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
SorensonCommented:
I am not sure I understand.  

Can you digram it out for me?
the access-lists that you posted above are not correct for the conditional nats.
There should be only 1 acl line per nat, and the acl lines above to not make sense, the last ip addresses and netmasks are all run together.


0
 
tshi5791Author Commented:
Sorry I made a typo earlier and my copy paste during the writing of the configuration messed me up. Here is how it is:

access-list nonat 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list nonat 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0


access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC1 permit ip host 10.75.225.71 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC2 permit ip host 10.0.1.125 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.16.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.56.0 255.255.255.0
access-list ClientVPNSTATIC3 permit ip host 10.75.225.227 10.1.63.0 255.255.255.0
access-list ClientVPNSTATIC4 permit ip host 10.74.0.110 10.74.254.1 255.255.255.255


static (inside,outside) 10.74.110.111 access-list ClientVPNSTATIC1
static (inside,outside) 10.74.110.108 access-list ClientVPNSTATIC2
static (inside,outside) 10.74.110.101 access-list ClientVPNSTATIC3


access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any

crypto ipsec transform-set AllVPNs esp-3des esp-md5-hmac

crypto map ClientVPN 50 match address exc_cert_dev
crypto map ClientVPN 50 set peer x.x.x.x
crypto map ClientVPN 50 set transform-set ALLVPNs

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
0
 
tshi5791Author Commented:
Our Inside Network: 10.75.225.0/24 and 10.0.1.0/24
IP addresses provided by third party for NATTING: 10.74.110.0/24
Third party LAN: 10.1.16.0/24, 10.1.56.0/24 and 10.1.63.0/24

We need to access their LANs using the NATTED IP range provided.

Thanks,
0
 
SorensonCommented:
I am not sure I understand this access-list.  Is this the interesting traffic for the new vpn?
!
access-list exc_cert_dev extended permit ip 172.16.225.0 255.255.255.0 10.74.110.0 255.255.255.0
access-list exc_cert_dev extended permit gre host 10.74.0.110 host 10.74.254.1
access-list exc_cert_dev extended deny gre any any
!

shouldn't it be:
!
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.56.0 255.255.255.0
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 10.1.63.0 255.255.255.0
!

also, for all of the access-lists it may be easier to create an object group...
ie:
!
object-group network CompanyB
  network-object 10.1.16.0 255.255.255.0
  network-object 10.1.56.0 255.255.255.0
  network-object 10.1.63.0 255.255.255.0
!
! then the ACL could be shortened to 1 line
access-list exc_cert_dev permit ip 10.74.110.0 255.255.255.0 object-group CompanyB
!  (same for all other places you have the 3 networks), easier to update as well, as you just update the object group to remove or add networks, and all of the other spots are update.



0
 
tshi5791Author Commented:
Another oversight on my part. I don't know how I came up with that 172.16.225.x
However, the ACL with the GRE is to allow a router in the inside network to receive multicast traffic. I might  need to add 10.74.254.1 to the object group as well.

I will try that and let u know...thanks
 
0
 
tshi5791Author Commented:
Hi Sorenson:

I have yet to make the changes...but what book(s) out there would you recommend?  I looked all over for this type of suggestions on line but came up empty.

Regards,
0
 
tshi5791Author Commented:
Thanks for all your help
0
 
SorensonCommented:
I found this solution after opening a case with Cisco a year ago, with a similar situation.  I am out of the office until monday, but will check for book titles.
0
 
tshi5791Author Commented:
Thanks. Looking forward to that info.
0
 
mefenix211Commented:
Sorenson if you are available I am in desperate need of you help! My job is on the line here.  Please take a look at my question at:  I'm completely lost!

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_25367685.html
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now