How to Configure Cisco ASA 5505 to support VPN with 1-to-1 NAT
I have a Cisco ASA 5505 that I need to configure for a VPN (LAN-to-LAN) connection between a local office and a remote facility. The problem is that the remote facility is requiring me to use a different IP address for the local server, so I am assuming NAT needs to be involved.
Basically, a single local server (LOCAL_SERVER) needs bi-directional communicate with 3 remote servers (REMOTE_SERVER1, 2, 3). The remote servers need to "think" they are talking with a translated address (LOCAL_SERVER_NAT).
My present configuration is not working and I don't trust that I have the config correct. Can someone please examine the config and tell me what needs to change?
TIA
--------------------------
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name XXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
names
name 192.168.1.2 LOCAL_SERVER description Local server that will be communicating via VPN
name 10.9.203.252 REMOTE_SERVER1 description Remote server to communicate via VPN
name 10.9.203.253 REMOTE_SERVER2 description Remote server to communicate via VPN
name 10.9.195.46 REMOTE_SERVER3 description Remote server to communicate via VPN
name 172.16.21.21 LOCAL_SERVER_NAT description Translated IP for LOCAL_SERVER to communicate via VPN
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx.local
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service MedTrak tcp
description MedTrak
port-object eq 9091
object-group service 3390 tcp
description 3390
port-object eq 3390
object-group network REMOTE_SERVERS
description Remote servers involved in VPN communications
network-object host REMOTE_SERVER3
network-object host REMOTE_SERVER1
network-object host REMOTE_SERVER2
access-list outside_access_in extended permit tcp any host dbServer eq 3389
access-list outside_access_in extended permit tcp any host dbServer eq 9091
access-list outside_access_in extended permit tcp any host dbServer eq 3390
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq 9091
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 dbServer 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9091 dbServer 9091 netmask 255.255.255.255
static (inside,outside) LOCAL_SERVER_NAT access-list inside_nat_static
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.95.237.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address inside_nat_static
crypto map outside_map 1 set peer 192.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.20
dhcpd dns dbServer interface inside
dhcpd wins dbServer interface inside
dhcpd lease 1048575 interface inside
dhcpd ping_timeout 900 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd enable inside
!
tunnel-group 192.xx.xx.xx type ipsec-l2l
tunnel-group 192.xx.xx.xx ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:dfXXXXXXXXX
: end
Basically, a single local server (LOCAL_SERVER) needs bi-directional communicate with 3 remote servers (REMOTE_SERVER1, 2, 3). The remote servers need to "think" they are talking with a translated address (LOCAL_SERVER_NAT).
My present configuration is not working and I don't trust that I have the config correct. Can someone please examine the config and tell me what needs to change?
TIA
--------------------------
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name XXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
names
name 192.168.1.2 LOCAL_SERVER description Local server that will be communicating via VPN
name 10.9.203.252 REMOTE_SERVER1 description Remote server to communicate via VPN
name 10.9.203.253 REMOTE_SERVER2 description Remote server to communicate via VPN
name 10.9.195.46 REMOTE_SERVER3 description Remote server to communicate via VPN
name 172.16.21.21 LOCAL_SERVER_NAT description Translated IP for LOCAL_SERVER to communicate via VPN
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx.local
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service MedTrak tcp
description MedTrak
port-object eq 9091
object-group service 3390 tcp
description 3390
port-object eq 3390
object-group network REMOTE_SERVERS
description Remote servers involved in VPN communications
network-object host REMOTE_SERVER3
network-object host REMOTE_SERVER1
network-object host REMOTE_SERVER2
access-list outside_access_in extended permit tcp any host dbServer eq 3389
access-list outside_access_in extended permit tcp any host dbServer eq 9091
access-list outside_access_in extended permit tcp any host dbServer eq 3390
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq 9091
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 dbServer 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9091 dbServer 9091 netmask 255.255.255.255
static (inside,outside) LOCAL_SERVER_NAT access-list inside_nat_static
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.95.237.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address inside_nat_static
crypto map outside_map 1 set peer 192.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.20
dhcpd dns dbServer interface inside
dhcpd wins dbServer interface inside
dhcpd lease 1048575 interface inside
dhcpd ping_timeout 900 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd enable inside
!
tunnel-group 192.xx.xx.xx type ipsec-l2l
tunnel-group 192.xx.xx.xx ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:dfXXXXXXXXX
: end
Who is Participating?
dont forget your nonat command
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
so the policy nat should have access-list from local ip to remote server
and
crypto acl ie. inside_nat_static should have entry for traffic from nat ip to remote server.
and
crypto acl ie. inside_nat_static should have entry for traffic from nat ip to remote server.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month6 days, 9 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
to
access-list inside_nat_static extended permit ip host LOCAL_SERVER_NAT object-group REMOTE_SERVERS
and create another acl..something like this:
access-list inside_nat extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
and use it for the static:
static (inside,outside) LOCAL_SERVER_NAT access-list inside_nat