Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA VPN with address translation

Posted on 2011-09-07
9
Medium Priority
?
543 Views
Last Modified: 2012-05-12
We have a Cisco ASA 5505 Security Appliance. We are trying to setup a Site-to-site VPN with another company. Normally this wouldn't be a problem but the LAN Subnet that we are using conflicts with another one of their VPN's so we have to translate our server's IP address to a different address before sending it over the VPN. I have tried setting up a static policy NAT to do the trick but the VPN is not coming up. Here is the info:

Our ASA's LAN IP: 192.168.0.1
Our Server they need to access: 192.168.0.11
The IP they want us to translate to: 172.16.66.33
The IP address of their server: 10.50.106.41

We don't have a problem connecting to their subnet but they cannot connect to our 192.168.0.0/24 subnet because it overlaps with another one of their clients. So we just need to translate 192.168.0.11 to 172.16.66.33 on our side of the VPN.

I hope that makes sense. Can someone provide a working example? We can use the CLI or ADSM.

Thanks
Kent
0
Comment
Question by:fkoyer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
9 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36500572
I don't have a working example for 8.3 and later, but this is what the relevant parts looked like on 8.2:

access-list nat-194 extended permit ip 10.0.0.0 255.0.0.0 host 10.192.12.20
nat (inside) 2 access-list nat-194
global (outside) 2 10.194.66.42

access-list VPN extended permit ip host 10.194.66.42 host 10.192.12.20

crypto map outside_map 10 match address VPN
crypto map outside_map 10 set peer 1.2.3.4

There are other parts of the crypto config (ISAKMP, transform-set, etc.) that aren't shown.
0
 
LVL 1

Author Comment

by:fkoyer
ID: 36505513
I am on 8.2. I tried your suggestion but it is still not working. Maybe I did something wrong. Here are the commands I tried

access-list nat-194 extended permit ip host 192.168.0.11 host 10.50.106.41
nat (inside) 2 access-list nat-194
global (outside) 2 172.16.66.33
access-list VPN extended permit ip host 172.16.66.33 host 10.50.106.41

crypto map outside_map 4 match address VPN
crypto map outside_map 4 set pfs group5
crypto map outside_map 4 set peer Remote_WAN_IP
crypto map outside_map 4 set transform-set ESP-AES-256-SHA


When I ran the global command, I got this message
INFO: Global 172.16.66.33 will be Port Address Translated

But I don't want to translate the port addresses, just the IP addresses.

Any other ideas?

Thanks
Kent




0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36506050
The message you're seeing is standard when you translate to a single address.  It just means that the single address of 172.16.66.33 will be used (as opposed to a pool or range of addresses), and individual connections will be port-address translated to different ports (1024 to 65535) on that same IP address.  It's the same as would happen if you were NATing all your internal addresses to the single address on the outside interface, and the message is the same as you would see then.

What you did looks OK to me at first glance.  Let me try to re-state in English and you can tell me if what I'm describing is what you're actually trying to do.  You have a host 192.168.0.11 that needs to talk to destination 10.50.106.41.  But you need to NAT that communication so traffic arrives at the remote host showing a NATed source address of 172.16.66.33.  VPN encryption happens after translation, so the ACL for encryption shows the NATed address as the source of the traffic and the destination staying the same.  Sound correct?

Can you tell me what is not working? Are translations not happening (show xlate)?  Does the VPN tunnel not come up (have you sent interesting traffic?)?  Let me know more about what you're seeing and we can try to troubleshoot.
0
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

 
LVL 1

Author Comment

by:fkoyer
ID: 36506334
What you've stated sounds correct. I would like to add that the remote host at 10.50.106.41 also needs to initiate connections to 172.16.66.33 which will be encrypted and then un-NAT'ed on our end so the traffic will be destined for 192.168.0.11. That is why I don't think the PAT translation will work unless there is a way to control which ports get mapped to which ports.

The VPN is not coming up. I've tried running a packet trace from within ADSM (Configuration > Firewall > NAT Rules > Packet Trace). It appears that the address translation is happening but then the traffic doesn't match the VPN access-list (or isn't begin checked after being NAT'ed). I am running a continuous ping from 192.168.0.11 to 10.50.106.41 to generate interesting traffic.

The output from show xlate is long because of lots of people surfing the Internet but I think this is the interesting bit:

Global 172.16.66.33 Local BSP-SQL

Where BSP-SQL is an alias for 192.168.0.11. Let me know what else you need.

Thanks
Kent
0
 
LVL 1

Accepted Solution

by:
fkoyer earned 0 total points
ID: 36540274
I was able to get a Cisco engineer on the phone. The solution is to create a static policy NAT like this:


access-list policy_nat extended permit ip host 192.168.0.11 host 10.50.106.41
static (inside,outside) 172.16.66.33 access-list policy_nat

The access-list for the VPN should reference the translated source IP address.

I hope this helps somebody else in the future.

0
 
LVL 1

Author Closing Comment

by:fkoyer
ID: 36558834
because I solved it with the help of a Cisco engineer.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question