Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to Configure Cisco ASA 5505 to support VPN with 1-to-1 NAT

Posted on 2010-09-09
4
Medium Priority
?
967 Views
Last Modified: 2012-06-21
I have a Cisco ASA 5505 that I need to configure for a VPN (LAN-to-LAN) connection between a local office and a remote facility.  The problem is that the remote facility is requiring me to use a different IP address for the local server, so I am assuming NAT needs to be involved.

Basically, a single local server (LOCAL_SERVER) needs bi-directional communicate with 3 remote servers (REMOTE_SERVER1, 2, 3).  The remote servers need to "think" they are talking with a translated address (LOCAL_SERVER_NAT).

My present configuration is not working and I don't trust that I have the config correct.  Can someone please examine the config and tell me what needs to change?

TIA
---------------------------------
Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name XXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
names
name 192.168.1.2 LOCAL_SERVER description Local server that will be communicating via VPN
name 10.9.203.252 REMOTE_SERVER1 description Remote server to communicate via VPN
name 10.9.203.253 REMOTE_SERVER2 description Remote server to communicate via VPN
name 10.9.195.46 REMOTE_SERVER3 description Remote server to communicate via VPN
name 172.16.21.21 LOCAL_SERVER_NAT description Translated IP for LOCAL_SERVER to communicate via VPN

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxx.local
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group service MedTrak tcp
 description MedTrak
 port-object eq 9091
object-group service 3390 tcp
 description 3390
 port-object eq 3390
object-group network REMOTE_SERVERS
 description Remote servers involved in VPN communications
 network-object host REMOTE_SERVER3
 network-object host REMOTE_SERVER1
 network-object host REMOTE_SERVER2
access-list outside_access_in extended permit tcp any host dbServer eq 3389
access-list outside_access_in extended permit tcp any host dbServer eq 9091
access-list outside_access_in extended permit tcp any host dbServer eq 3390
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq 9091
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 dbServer 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9091 dbServer 9091 netmask 255.255.255.255
static (inside,outside) LOCAL_SERVER_NAT  access-list inside_nat_static
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.95.237.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address inside_nat_static
crypto map outside_map 1 set peer 192.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns dbServer interface inside
dhcpd wins dbServer interface inside
dhcpd lease 1048575 interface inside
dhcpd ping_timeout 900 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd enable inside
!

tunnel-group 192.xx.xx.xx type ipsec-l2l
tunnel-group 192.xx.xx.xx ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:dfXXXXXXXXXXXXXXXXXXXXXXXXXXXd07
: end
0
Comment
Question by:quibbly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 4

Accepted Solution

by:
ullas_unni earned 2000 total points
ID: 33639967
change the below acl

access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS

to

access-list inside_nat_static extended permit ip host LOCAL_SERVER_NAT object-group REMOTE_SERVERS

and create another acl..something like this:

access-list inside_nat extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
and use it for the static:

static (inside,outside) LOCAL_SERVER_NAT  access-list inside_nat
0
 
LVL 8

Expert Comment

by:ZombieAutopsy
ID: 33640021
dont forget your nonat command

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33640039
so the policy nat should have access-list from local ip to remote server

and

crypto acl ie. inside_nat_static should have entry for traffic from nat ip to remote server.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33640095
why do we need no nat when he wants to do the nat??
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question