[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA 5505 NAT VPN

Posted on 2009-12-29
6
Medium Priority
?
589 Views
Last Modified: 2012-05-08
I create a VPN tunnel (via wizard) to access a server on our client, and the tunnel was up OK:

show crypto isakmp sa
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: XXXXXXXX
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

show crypto ipsec sa
#pkts encaps: 119, #pkts encrypt: 119, #pkts digest: 119
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0  

The client give me a ip range (192.168.221.0/24) to access your network.

How can I create a NAT rule to enter the network on client with a client IP (like 192.168.221.1)?

Thank you,

Felipe.
0
Comment
Question by:FelipeSchneider
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:predragpetrovic
ID: 26140840
hi,

for example:
SITE A: 172.25.100.0/24 (this is your network)
SITE B: 172.25.101.0/24 (this is customer network)

on your site (SITE A) do the following:

Create a policy access list
access-list policy-nat extended permit 172.25.100.0 255.255.255.0 172.25.101.0 255.255.255.0

Create a nat statement
static (inside,outside) 192.168.221.0 access-list policy-nat

predrag
0
 

Author Comment

by:FelipeSchneider
ID: 26140944
I do the command, but aparently dont work.

Theres a way to debug the request, to find the error?

Below, the code from ASA.

Thank you,

Felipe
access-list backoffice_nat0_outbound_1 extended permit ip 10.0.40.0 255.255.255.192 10.0.20.0 255.255.255.240
access-list outside_1_cryptomap extended permit ip 10.0.40.0 255.255.255.192 10.10.0.0 255.255.0.0
access-list backoffice_access_in extended permit ip 10.0.40.0 255.255.255.192 any

nat-control
global (outside) 1 interface
nat (backoffice) 0 access-list backoffice_nat0_outbound_1
nat (backoffice) 1 10.0.40.0 255.255.255.192
nat (dmz) 1 10.0.10.0 255.255.255.240
nat (wireless) 1 10.0.30.0 255.255.255.240
nat (serverfarm) 1 10.0.20.0 255.255.255.240
static (backoffice,outside) 192.168.221.0  access-list outside_1_cryptomap
access-group backoffice_access_in in interface backoffice
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 outside_ip 1

Open in new window

0
 
LVL 9

Expert Comment

by:predragpetrovic
ID: 26141742
could you give me the cryptomap access list.
0
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

 

Author Comment

by:FelipeSchneider
ID: 26141885
Of course, the running config:
: Saved
:
ASA Version 8.0(2) 
!
hostname ciscoasa
domain-name hq.veritax.com.br
enable password f4WLpK5EmHJxC3K9 encrypted
names
name XXXXXXXXXXX outside_ip
name 10.0.20.10 adws2008_on_serverfarm
name 10.0.20.4 proxy_on_serverfarm
name XXXXXXXXXXX dns_provider_2
name XXXXXXXXXXX dns_provider_1
name 10.0.30.3 printserver_on_wireless
name 10.0.20.3 isaserver_on_serverfarm
name 10.0.50.0 vpn-network
name 10.0.10.11 webserver_on_dmz
name XXXXXXXXXXX mysql_on_uolhost
name XXXXXXXXXXX client_peer
name 10.10.0.0 client_network
!
interface Vlan1
 description BackOffice - 62  hosts
 nameif backoffice
 security-level 100
 ip address 10.0.40.1 255.255.255.192 
 ospf cost 10
!
interface Vlan2
 description Outside - 1 host
 nameif outside
 security-level 0
 pppoe client vpdn group PPPoE
 ip address pppoe 
 ospf cost 10
!
interface Vlan22
 description DMZ - 14 hosts
 nameif dmz
 security-level 25
 ip address 10.0.10.1 255.255.255.240 
!
interface Vlan32
 description Wireless - 14 hosts
 nameif wireless
 security-level 50
 ip address 10.0.30.1 255.255.255.240 
!
interface Vlan42
 description ServerFarm - 14 hosts
 nameif serverfarm
 security-level 75
 ip address 10.0.20.1 255.255.255.240 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 22
!
interface Ethernet0/2
 switchport access vlan 42
!
interface Ethernet0/3
 switchport access vlan 32
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXXXXXXXXXXXXX encrypted
ftp mode passive
clock timezone BRST -3
clock summer-time BRDT recurring 2 Sun Oct 0:00 3 Sun Feb 0:00
dns server-group DefaultDNS
 domain-name hq.veritax.com.br
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object 10.0.20.0 255.255.255.240
 network-object vpn-network 255.255.255.240
object-group network DM_INLINE_NETWORK_2
 network-object 10.0.10.0 255.255.255.240
 network-object vpn-network 255.255.255.0
access-list backoffice_nat0_outbound_1 extended permit ip 10.0.40.0 255.255.255.192 object-group DM_INLINE_NETWORK_1 
access-list dmz_access_in extended permit ip any 10.0.20.0 255.255.255.240 
access-list dmz_access_in extended permit ip host webserver_on_dmz host mysql_on_uolhost 
access-list outside_1_cryptomap extended permit ip 10.0.40.0 255.255.255.192 client_network 255.255.0.0 
access-list XXXXXXXX_splitTunnelAcl standard permit 10.0.40.0 255.255.255.224
access-list XXXXXXXX_splitTunnelAcl standard permit 10.0.20.0 255.255.255.240 
access-list XXXXXXXX_splitTunnelAcl standard permit 10.0.10.0 255.255.255.248 
access-list XXXXXXXX_splitTunnelAcl standard permit 10.0.30.0 255.255.255.240 
access-list backoffice_access_in extended permit ip 10.0.40.0 255.255.255.192 any 
access-list XXXXXXXX_splitTunnelAcl_1 standard permit 10.0.10.0 255.255.255.248 
access-list XXXXXXXX_splitTunnelAcl_1 standard permit 10.0.20.0 255.255.255.240 
access-list XXXXXXXX_splitTunnelAcl_1 standard permit 10.0.30.0 255.255.255.240 
access-list XXXXXXXX_splitTunnelAcl_1 standard permit 10.0.40.0 255.255.255.192 
access-list serverfarm_access_in extended permit ip vpn-network 255.255.255.240 any 
access-list serverfarm_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_2 
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging asdm debugging
mtu backoffice 1500
mtu outside 1500
mtu dmz 1500
mtu wireless 1500
mtu serverfarm 1500
ip local pool vpn_dhcp_pool 10.0.50.1-10.0.50.14 mask 255.255.255.240
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (backoffice) 0 access-list backoffice_nat0_outbound_1
nat (backoffice) 1 10.0.40.0 255.255.255.192
nat (dmz) 1 10.0.10.0 255.255.255.240
nat (wireless) 1 10.0.30.0 255.255.255.240
nat (serverfarm) 0 access-list serverfarm_nat0_outbound
nat (serverfarm) 1 10.0.20.0 255.255.255.240
static (dmz,outside) tcp interface www webserver_on_dmz www netmask 255.255.255.255 
static (dmz,outside) tcp interface ftp webserver_on_dmz ftp netmask 255.255.255.255 
static (backoffice,outside) 192.168.221.0  access-list outside_1_cryptomap 
access-group backoffice_access_in in interface backoffice
access-group dmz_access_in in interface dmz
access-group serverfarm_access_in in interface serverfarm
route outside 0.0.0.0 0.0.0.0 outside_ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.20.0 255.255.255.240 serverfarm
http 10.0.40.0 255.255.255.224 backoffice
http 0.0.0.0 0.0.0.0 backoffice
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection reclassify-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer client_peer
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000 
telnet 0.0.0.0 0.0.0.0 backoffice
telnet timeout 5
ssh 10.0.40.0 255.255.255.192 backoffice
ssh timeout 5
console timeout 0
vpdn group PPPoE request dialout pppoe
vpdn group PPPoE localname XXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXX
vpdn group PPPoE ppp authentication pap
vpdn username XXXXXXXXXXX@XXXXXXXXXXXXXX password XXXXXXXXXXXX store-local
dhcpd auto_config outside
!
dhcpd address 10.0.40.20-10.0.40.30 backoffice
dhcpd dns adws2008_on_serverfarm dns_provider_1 interface backoffice
dhcpd enable backoffice
!
dhcpd address 10.0.30.4-10.0.30.14 wireless
dhcpd dns dns_provider_1 dns_provider_2 interface wireless
dhcpd enable wireless
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect icmp 
!
service-policy global_policy global
group-policy XXXXXXXX internal
group-policy XXXXXXXX attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXXXXXXX_splitTunnelAcl_1
username XXXXXXXX.XXXXXXXXXXXX password XXXXXXXX encrypted privilege 0
username XXXXXXXX.XXXXXXXXXXXX attributes
 vpn-group-policy XXXXXXXX
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
 pre-shared-key XXXXXXXX
 peer-id-validate cert
tunnel-group XXXXXXXX type remote-access
tunnel-group XXXXXXXX general-attributes
 address-pool vpn_dhcp_pool
 default-group-policy XXXXXXXX
tunnel-group XXXXXXXX ipsec-attributes
 pre-shared-key XXXXXXXX
prompt hostname context 
Cryptochecksum:95fcf7c47f4e33bca4d1cdd5ff629c46
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

Open in new window

0
 
LVL 9

Accepted Solution

by:
predragpetrovic earned 2000 total points
ID: 26142167
hi,

here is the problem:

access-list outside_1_cryptomap is referred to both NAT translation and VPN. So do the following:

access-list vpn_nat_trans extended permit ip 192.168.221.0 255.255.255.0 10.10.0.0 255.255.0.0
no crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 match address vpn_nat_trans
0
 

Author Closing Comment

by:FelipeSchneider
ID: 31670915
Perfect. Thank you.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question