Need help setting up NAT through VPN tunnel
I've run across an issue where I suspect I need to NAT IP addresses through a VPN tunnel that uses a Cisco ASA-5510 on my side of the tunnel and ends on the consultant's side of the tunnel on a VPN 3000 concentrator.
Setting up the VPN tunnel is easy for me - I've done this before and have no problem with it. At issue is, the internal IP address we use on our internal network is the same as our consultants main headquarter network - it's aa.cc.4.0 to aa.cc.7.255 (255.255.252.0 mask).
I know you can do NAT to a physical interface of an ASA-5510, but can you use NAT to be applied to our internal subnet to a specific IP like 192.168.100.0 ? (or maybe 192.168.0.1) that then can be pushed through the VPN tunnel to the other side? If so, is there anything that the consultant needs to do with the NAT'ed IP address once it get's through the Concentrator? I don't believe they have to, just set an access rule to let that NAT'ed IP through.
We need this working so our people can access terminal server sessions on the consultant's network. All other sites are working, but here with this one site, I can implement the access-list rule to the tunnel since we have the IP conflict. Short of changing our subnet IP segment on our side, is there a solution?
Setting up the VPN tunnel is easy for me - I've done this before and have no problem with it. At issue is, the internal IP address we use on our internal network is the same as our consultants main headquarter network - it's aa.cc.4.0 to aa.cc.7.255 (255.255.252.0 mask).
I know you can do NAT to a physical interface of an ASA-5510, but can you use NAT to be applied to our internal subnet to a specific IP like 192.168.100.0 ? (or maybe 192.168.0.1) that then can be pushed through the VPN tunnel to the other side? If so, is there anything that the consultant needs to do with the NAT'ed IP address once it get's through the Concentrator? I don't believe they have to, just set an access rule to let that NAT'ed IP through.
We need this working so our people can access terminal server sessions on the consultant's network. All other sites are working, but here with this one site, I can implement the access-list rule to the tunnel since we have the IP conflict. Short of changing our subnet IP segment on our side, is there a solution?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here's a bit of the PIX code from our site that does NOT need NAT.
At this site our internal IP address segment is aa.d.4.0 to 10.1.7.(255 255.255.252.0 mask) The inside interface on this PIX shows a aa.eee.5.1 IP because we internally route it to aa.d.4.0 segment. At the site listed below, we do not have an internal router so the inside interface is thegateway for that network (i.e: iinside interface of ASA-5510 is aa.cc4.1) Hopefully I'm making sense here.
The site we're having issues is using an internal IP segment of aa.cc.4.0 to aa.cc.7.255 (255.255.252.0 mask) At this site they have suggested we use 192.160.100.0 as the subnet with the NAT translation. I believe we can get away with using 192.168.0.0 to 192.168.3.255 and do a 1:1 NAT as you described.
At this site our internal IP address segment is aa.d.4.0 to 10.1.7.(255 255.255.252.0 mask) The inside interface on this PIX shows a aa.eee.5.1 IP because we internally route it to aa.d.4.0 segment. At the site listed below, we do not have an internal router so the inside interface is thegateway for that network (i.e: iinside interface of ASA-5510 is aa.cc4.1) Hopefully I'm making sense here.
The site we're having issues is using an internal IP segment of aa.cc.4.0 to aa.cc.7.255 (255.255.252.0 mask) At this site they have suggested we use 192.160.100.0 as the subnet with the NAT translation. I believe we can get away with using 192.168.0.0 to 192.168.3.255 and do a 1:1 NAT as you described.
: Saved
:
ASA Version 7.1(2)
!
hostname CCVA-ASA
domain-name mydomain.com
enable password xxxxx encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address aa.126.aa.69 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address aa.cc.4.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
shutdown
nameif voiplan
security-level 90
ip address aa.ddd.4.5 255.255.252.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd ptH2NfxurA.yL2mX encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mydomain.com
access-list inside_to_outside extended permit ip any any
access-list inside_to_outside extended permit icmp any any
access-list acl_outside extended permit esp any any
access-list acl_outside extended permit ah any any
access-list acl_outside extended permit udp any any
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.f.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.g.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..5.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..8.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..11.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..12.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..13.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..14.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..28.0 255.255.252.0
access-list nonat extended permit ip any aa.cc.4.0 255.255.255.0
access-list vpnwdc extended permit ip aa.cc.4.0 255.255.252.0 aa.b.4.0 255.255.252.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.5.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.8.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.11.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.12.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.13.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.14.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.28.0 255.255.252.0
access-list vpndal extended permit ip aa.cc.4.0 255.255.252.0 aa.g.4.0 255.255.252.0
access-list targetvpn extended permit ip 192.168.100.0 255.255.252.0 aa.bbb.0.0 255.255.252.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu voiplan 1500
icmp permit any unreachable outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 aa.aaa.23.70
nat (inside) 0 access-list nonat
nat (inside) 1 aa.cc.4.0 255.255.252.0
static (inside,outside) 192.168.100.0 access-list targetvpn
access-group acl_outside in interface outside
access-group inside_to_outside in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.23.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server CCVA_Domain protocol nt
aaa-server CCVA_Domain host 10.13.5.1
nt-auth-domain-controller 10.13.5.1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec webvpn
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
http server enable
http aa.c.4.0 255.255.255.255 inside
http aa.cc.4.0 255.255.252.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside aa.cc.4.50 community usccccva
snmp-server location US
snmp-server contact FName LName 703-555-1212
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
service resetoutside
crypto ipsec transform-set ccva esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map vpnccva 10 match address vpnwdc
crypto map vpnccva 10 set peer xxx.3.xxx.10
crypto map vpnccva 10 set transform-set ccva
crypto map vpnccva 30 match address vpnorl
crypto map vpnccva 30 set peer aa.240.aaa.150
crypto map vpnccva 30 set transform-set ccva
crypto map vpnccva 50 match address vpndal
crypto map vpnccva 50 set peer bb.bbb.211.8
crypto map vpnccva 50 set transform-set ccva
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer cc.ccc.206.76
crypto map vpnccva 70 set transform-set ccva
crypto map vpnccva 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnccva interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group CCVA_Domain
dhcp-server aa.cc.5.10
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server aa.cc.5.1 master timeout 2 retry 2
tunnel-group xxx.3.xxx.10 type ipsec-l2l
tunnel-group xxx.3.xxx.10 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group aa.aaa.226.150 type ipsec-l2l
tunnel-group aa.aaa.226.150 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group bb.bbb.211.8 type ipsec-l2l
tunnel-group bb.bbb.211.8 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group-map enable rules
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet aa.c.4.0 255.255.252.0 inside
telnet aa.cc.4.0 255.255.252.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 60
dhcpd address 192.168.1.2-192.168.1.21 management
dhcpd dns ccc.ccc.3.65 ccc.ccc.2.65
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.x.xx.41 source outside prefer
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.1.1.45-k9.pkg
svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
svc enable
url-list CCVA_VPN "CCVADC01" cifs://aa.cc.5.1 1
Cryptochecksum:7ddfa4ea235ba063a2af47836cfb1050
: end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not sure what the consultant's range would be. I was under the impression we could nat 1:1 the aa.cc.4.0 to aa.cc.7.255 IP addresses to 192.168.100.0 to 192.168.103.255 but I'm confused as to how they would handle printing to our aa.cc.x.x printers back at our location. Their printing would be from Unix/Oracle machines so it would definitely be via IP.
I know on their end they have a Cisco VPN3000 box. Not sure exact model, but that is what they will be using. If I can get the code set right for the 1:1 NAT translation on our side, maybe I can see what they need to do from their side, but for now, all I know is my tunnel ends on their side at a VPN3000 box and not sure what they do with the IP addresses I send them. I'll shoot them and email and see what they do with the working DC config (uses aa.b.1.x subnet) and how they would handle a 1:1 NAT range of 192.168.100.0 to 192.168.103.255 if i was to set that up..
I know on their end they have a Cisco VPN3000 box. Not sure exact model, but that is what they will be using. If I can get the code set right for the 1:1 NAT translation on our side, maybe I can see what they need to do from their side, but for now, all I know is my tunnel ends on their side at a VPN3000 box and not sure what they do with the IP addresses I send them. I'll shoot them and email and see what they do with the working DC config (uses aa.b.1.x subnet) and how they would handle a 1:1 NAT range of 192.168.100.0 to 192.168.103.255 if i was to set that up..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't believe they use the aa.cc.4.x within their local network - it's their corporate site that uses it, or has it withint their IP segment. So if they send something to aa.cc.4.50 it will go to their corporate, but one we get this 1:1 NAT problem solved, if they do a 192.168.100.50 then it sould resolve back to us as aa.cc.4.50.
Am I correct in this assumption?
I'm sending an email to them just to make sure. If so, just what statement do I need to add to do the 1:1 NAT?
Thanks again for your rapid responses & you time responding!!! I would have done this through my Cisco TAC account, but I'm really getting frustrated but the low caliber help I've gotten from them recently.
Am I correct in this assumption?
I'm sending an email to them just to make sure. If so, just what statement do I need to add to do the 1:1 NAT?
Thanks again for your rapid responses & you time responding!!! I would have done this through my Cisco TAC account, but I'm really getting frustrated but the low caliber help I've gotten from them recently.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Don't believe I have NAT exempted for the connection.
If it's explicitly implied or it's not seen in the code snippet I posted, can you list the command to make sure that NAT isn't exempted from the VPN tunnel.
I'll also check the Cisco Docs for the ASA and see what it has to say aboutthe NAT Exemption and how to change it.
If it's explicitly implied or it's not seen in the code snippet I posted, can you list the command to make sure that NAT isn't exempted from the VPN tunnel.
I'll also check the Cisco Docs for the ASA and see what it has to say aboutthe NAT Exemption and how to change it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Damn! What an ID-10T I am! Of course, the nonat permit statements - yes I'll add those when building the access list - I normally look at those as givens when doing access list entries. Was told when trained on PIX's that the "nonat permit" (now seems to be nonat extended permit) was required for every access list statement you create, just didn't realize I was actually enabling NAT over a VPN tunnel when entering these.
I'll give it a try this evening when everyone goes home and let you know how it works.
Thanks again for the help!
I'll give it a try this evening when everyone goes home and let you know how it works.
Thanks again for the help!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will do.
BTW - I just found out that somehow the folks at Target have to be able to get back into our aa.cc.4.x subnet. Partly for printing to printers on that subnet and partly for accessing a access database on a server in our aa.cc.4.x network. problem is, they will be accesing IP segment 192.168.100.x since if they try aa.cc,.4.x they will be accessing their own corporate network.
(Dang these classless IP's!)
The NAT on our end won't be able to reverse NAT IP addresses from their end will it?
That is, if they need to access a server at IP address aa.cc.4.5 from their side, then it should be able to originate a connection from 192.168.100.5 to that IP using our ASA's NAT statement to do the change. Correct?
BTW - I just found out that somehow the folks at Target have to be able to get back into our aa.cc.4.x subnet. Partly for printing to printers on that subnet and partly for accessing a access database on a server in our aa.cc.4.x network. problem is, they will be accesing IP segment 192.168.100.x since if they try aa.cc,.4.x they will be accessing their own corporate network.
(Dang these classless IP's!)
The NAT on our end won't be able to reverse NAT IP addresses from their end will it?
That is, if they need to access a server at IP address aa.cc.4.5 from their side, then it should be able to originate a connection from 192.168.100.5 to that IP using our ASA's NAT statement to do the change. Correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, here are the entries I used for this setup:
:
: Create Access-List entries
:
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
:
: this statement already in ASA
:
nat (inside) 0 access-list nonat
:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat netmask 255.255.252.0
:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetnat
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva
:
: Create Tunnel
:
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
pre-shared-key xcg13Aq22
isakmp keepalive threshold 120 retry 10
Everything above was accepted except the static translation. The ASA kept coming back that the netmask was incorrect. I tried 255.255.255.255 255.255.255.0 and 255.255.252.0 and none worked.
So what did I miss?
:
: Create Access-List entries
:
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
:
: this statement already in ASA
:
nat (inside) 0 access-list nonat
:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat netmask 255.255.252.0
:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetnat
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva
:
: Create Tunnel
:
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
pre-shared-key xcg13Aq22
isakmp keepalive threshold 120 retry 10
Everything above was accepted except the static translation. The ASA kept coming back that the netmask was incorrect. I tried 255.255.255.255 255.255.255.0 and 255.255.252.0 and none worked.
So what did I miss?
:
: below is access list statement
:
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
:
: next to last two nonat statements below are for Target (aa.c.0.0 & aa.bb.0.0)
:
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.f.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.5.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.8.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.11.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.12.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.13.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.14.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.28.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list nonat extended permit ip any aa.cc.4.0 255.255.255.0
.
.
.
icmp permit any unreachable outside
icmp permit any echo-reply outside
arp timeout 14400
global (outside) 1 zz.zzz.23.70
nat (inside) 0 access-list nonat
nat (inside) 1 aa.cc.4.0 255.255.252.0
access-group acl_outside in interface outside
access-group inside_to_outside in interface inside
route outside 0.0.0.0 0.0.0.0 zz.zzz.23.65 1
.
.
.
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec webvpn
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
.
.
.
crypto ipsec transform-set ccva esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map vpnccva 10 match address vpnwdc
crypto map vpnccva 10 set peer xxx.3.xxx.10
crypto map vpnccva 10 set transform-set ccva
crypto map vpnccva 30 match address vpnorl
crypto map vpnccva 30 set peer vv.vvv.226.150
crypto map vpnccva 30 set transform-set ccva
crypto map vpnccva 50 match address vpndal
crypto map vpnccva 50 set peer aa.aaa.211.8
crypto map vpnccva 50 set transform-set ccva
:
: Below is Crypto Maping to Target
:
crypto map vpnccva 70 match address targetnat
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva
crypto map vpnccva 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnccva interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group CCVA_Domain
dhcp-server aa.cc.5.10
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server aa.cc.5.1 master timeout 2 retry 2
tunnel-group xxx.3.xxx.10 type ipsec-l2l
tunnel-group xxx.3.xxx.10 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group vv.vvv.226.150 type ipsec-l2l
tunnel-group vv.vvv.226.150 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group aa.aaa.211.8 type ipsec-l2l
tunnel-group aa.aaa.211.8 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
:
: Below is new VPN tunnel to Target
:
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group-map enable rules
no vpn-addr-assign aaa
no vpn-addr-assign localSOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, so would below be correct entries?
:
: Create Access-List entries
:
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip 1aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
:
: this statement already in ASA
:
nat (inside) 0 access-list nonat
:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat netmask 255.255.252.0
:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva
:
: Create Access-List entries
:
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip 1aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
:
: this statement already in ASA
:
nat (inside) 0 access-list nonat
:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat netmask 255.255.252.0
:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Should have been:
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc..4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
And yes, I forgot to strip off the mask on the static.
I'll give the above a try (with changes just noted) and see what happens.
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc..4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
And yes, I forgot to strip off the mask on the static.
I'll give the above a try (with changes just noted) and see what happens.
ASKER
OK - here is what I tried applying:
:
: Create Access-List entries
:
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
:
: this statement already in ASA
:
nat (inside) 0 access-list nonat
:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat
:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva
:
: Create Tunnel
:
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
pre-shared-key xcg13Aq22
isakmp keepalive threshold 120 retry 10
I get an error when I apply the last thing - the static statement.
Error is:
INFO: Global address overlaps with NAT exempt configuration
:
: Create Access-List entries
:
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
:
: this statement already in ASA
:
nat (inside) 0 access-list nonat
:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat
:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva
:
: Create Tunnel
:
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
pre-shared-key xcg13Aq22
isakmp keepalive threshold 120 retry 10
I get an error when I apply the last thing - the static statement.
Error is:
INFO: Global address overlaps with NAT exempt configuration
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK attached is the complete ASA config as it stands.
Adding the static entry still generates the INFO message.
Can't currently ping one of the devices on the aa.bb.1.xxx subnet that I can get from two other sites.
Am I still missing something?
Adding the static entry still generates the INFO message.
Can't currently ping one of the devices on the aa.bb.1.xxx subnet that I can get from two other sites.
Am I still missing something?
: Saved
:
ASA Version 7.1(2)
!
hostname CCVA-ASA
domain-name mydomain.com
enable password xxxxx encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address aa.126.aa.69 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address aa.cc.4.1 255.255.252.0
!
interface Ethernet0/2
speed 100
duplex full
shutdown
nameif voiplan
security-level 90
ip address aa.ccc.4.5 255.255.252.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd ptH2NfxurA.yL2mX encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mydomain.com
access-list inside_to_outside extended permit ip any any
access-list inside_to_outside extended permit icmp any any
access-list acl_outside extended permit esp any any
access-list acl_outside extended permit ah any any
access-list acl_outside extended permit udp any any
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.f.4.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.5.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.8.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.11.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.12.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.13.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.14.0 255.255.255.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.28.0 255.255.252.0
access-list nonat extended permit ip any aa.cc.4.0 255.255.255.0
access-list vpnwdc extended permit ip aa.cc.4.0 255.255.252.0 aa.c.4.0 255.255.252.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.5.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.8.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.11.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.12.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.13.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.14.0 255.255.255.0
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.28.0 255.255.252.0
access-list vpndal extended permit ip aa.cc.4.0 255.255.252.0 aa.f.4.0 255.255.252.0
access-list targetvpn extended permit ip 192.168.100.0 255.255.252.0 aa.bb.0.0 255.255.252.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu voiplan 1500
icmp permit any unreachable outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 aa.aaa.23.70
nat (inside) 0 access-list nonat
nat (inside) 1 aa.cc.4.0 255.255.252.0
static (inside,outside) 192.168.100.0 access-list targetvpn
access-group acl_outside in interface outside
access-group inside_to_outside in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.23.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server CCVA_Domain protocol nt
aaa-server CCVA_Domain host aa.cc.5.1
nt-auth-domain-controller aa.cc.5.1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec webvpn
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
http server enable
http aa.c.4.0 255.255.255.255 inside
http aa.cc.4.0 255.255.252.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside aa.cc.4.50 community usccccva
snmp-server location US
snmp-server contact FName LName 703-555-1212
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
service resetoutside
crypto ipsec transform-set ccva esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map vpnccva 10 match address vpnwdc
crypto map vpnccva 10 set peer xxx.3.xxx.10
crypto map vpnccva 10 set transform-set ccva
crypto map vpnccva 30 match address vpnorl
crypto map vpnccva 30 set peer aa.240.aaa.150
crypto map vpnccva 30 set transform-set ccva
crypto map vpnccva 50 match address vpndal
crypto map vpnccva 50 set peer bb.bbb.211.8
crypto map vpnccva 50 set transform-set ccva
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer cc.ccc.206.76
crypto map vpnccva 70 set transform-set ccva
crypto map vpnccva 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnccva interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group CCVA_Domain
dhcp-server aa.cc.5.10
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server aa.cc.5.1 master timeout 2 retry 2
tunnel-group xxx.3.xxx.10 type ipsec-l2l
tunnel-group xxx.3.xxx.10 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group aa.aaa.226.150 type ipsec-l2l
tunnel-group aa.aaa.226.150 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group bb.bbb.211.8 type ipsec-l2l
tunnel-group bb.bbb.211.8 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 10
tunnel-group-map enable rules
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet aa.c.4.0 255.255.252.0 inside
telnet aa.cc.4.0 255.255.252.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 60
dhcpd address 192.168.1.2-192.168.1.21 management
dhcpd dns ccc.ccc.3.65 ccc.ccc.2.65
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.x.xx.41 source outside prefer
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.1.1.45-k9.pkg
svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
svc enable
url-list CCVA_VPN "CCVADC01" cifs://10.13.5.1 1
Cryptochecksum:7ddfa4ea235ba063a2af47836cfb1050
: end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK - NOW I See where I'm screwing up.
So this is what I'll have:
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.1.0 255.255.255.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.1.0 255.255.255.0
static (inside,outside) 192.168.100.0 access-list targetnat
with first access-list associated to the VPN tunnel and seond one associated to the NAT
Did that and I can now ping aa.bb.1.136!
BTW: I found out that the aa.bb.0.0 really should have been aa.bb.1.0 so I changed that as you see above.
Now I see how both access-lists and the NAT are associated with each other.
FWIW: when adding the above, I still get the message:
INFO: Global address overlaps with NAT exempt configuration
It's an INFO message from the ASA and not an error. Everything else still seems to work so I'm not worried about it.
So this is what I'll have:
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.1.0 255.255.255.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.1.0 255.255.255.0
static (inside,outside) 192.168.100.0 access-list targetnat
with first access-list associated to the VPN tunnel and seond one associated to the NAT
Did that and I can now ping aa.bb.1.136!
BTW: I found out that the aa.bb.0.0 really should have been aa.bb.1.0 so I changed that as you see above.
Now I see how both access-lists and the NAT are associated with each other.
FWIW: when adding the above, I still get the message:
INFO: Global address overlaps with NAT exempt configuration
It's an INFO message from the ASA and not an error. Everything else still seems to work so I'm not worried about it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your first example with us using a 1:1 NAT seems to do what we need to do, but I just don't understand the details in how this is done via PIX commands.
Thanks for the help!