Solved

How to Configure Cisco ASA 5505 to support VPN with 1-to-1 NAT

Posted on 2010-09-09
4
936 Views
Last Modified: 2012-06-21
I have a Cisco ASA 5505 that I need to configure for a VPN (LAN-to-LAN) connection between a local office and a remote facility.  The problem is that the remote facility is requiring me to use a different IP address for the local server, so I am assuming NAT needs to be involved.

Basically, a single local server (LOCAL_SERVER) needs bi-directional communicate with 3 remote servers (REMOTE_SERVER1, 2, 3).  The remote servers need to "think" they are talking with a translated address (LOCAL_SERVER_NAT).

My present configuration is not working and I don't trust that I have the config correct.  Can someone please examine the config and tell me what needs to change?

TIA
---------------------------------
Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name XXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
names
name 192.168.1.2 LOCAL_SERVER description Local server that will be communicating via VPN
name 10.9.203.252 REMOTE_SERVER1 description Remote server to communicate via VPN
name 10.9.203.253 REMOTE_SERVER2 description Remote server to communicate via VPN
name 10.9.195.46 REMOTE_SERVER3 description Remote server to communicate via VPN
name 172.16.21.21 LOCAL_SERVER_NAT description Translated IP for LOCAL_SERVER to communicate via VPN

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxx.local
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group service MedTrak tcp
 description MedTrak
 port-object eq 9091
object-group service 3390 tcp
 description 3390
 port-object eq 3390
object-group network REMOTE_SERVERS
 description Remote servers involved in VPN communications
 network-object host REMOTE_SERVER3
 network-object host REMOTE_SERVER1
 network-object host REMOTE_SERVER2
access-list outside_access_in extended permit tcp any host dbServer eq 3389
access-list outside_access_in extended permit tcp any host dbServer eq 9091
access-list outside_access_in extended permit tcp any host dbServer eq 3390
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq 9091
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 dbServer 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9091 dbServer 9091 netmask 255.255.255.255
static (inside,outside) LOCAL_SERVER_NAT  access-list inside_nat_static
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.95.237.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address inside_nat_static
crypto map outside_map 1 set peer 192.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns dbServer interface inside
dhcpd wins dbServer interface inside
dhcpd lease 1048575 interface inside
dhcpd ping_timeout 900 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd enable inside
!

tunnel-group 192.xx.xx.xx type ipsec-l2l
tunnel-group 192.xx.xx.xx ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:dfXXXXXXXXXXXXXXXXXXXXXXXXXXXd07
: end
0
Comment
Question by:quibbly
  • 3
4 Comments
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 33639967
change the below acl

access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS

to

access-list inside_nat_static extended permit ip host LOCAL_SERVER_NAT object-group REMOTE_SERVERS

and create another acl..something like this:

access-list inside_nat extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
and use it for the static:

static (inside,outside) LOCAL_SERVER_NAT  access-list inside_nat
0
 
LVL 8

Expert Comment

by:ZombieAutopsy
ID: 33640021
dont forget your nonat command

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33640039
so the policy nat should have access-list from local ip to remote server

and

crypto acl ie. inside_nat_static should have entry for traffic from nat ip to remote server.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33640095
why do we need no nat when he wants to do the nat??
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now