Solved

Cisco ASA VPN with address translation

Posted on 2011-09-07
9
539 Views
Last Modified: 2012-05-12
We have a Cisco ASA 5505 Security Appliance. We are trying to setup a Site-to-site VPN with another company. Normally this wouldn't be a problem but the LAN Subnet that we are using conflicts with another one of their VPN's so we have to translate our server's IP address to a different address before sending it over the VPN. I have tried setting up a static policy NAT to do the trick but the VPN is not coming up. Here is the info:

Our ASA's LAN IP: 192.168.0.1
Our Server they need to access: 192.168.0.11
The IP they want us to translate to: 172.16.66.33
The IP address of their server: 10.50.106.41

We don't have a problem connecting to their subnet but they cannot connect to our 192.168.0.0/24 subnet because it overlaps with another one of their clients. So we just need to translate 192.168.0.11 to 172.16.66.33 on our side of the VPN.

I hope that makes sense. Can someone provide a working example? We can use the CLI or ADSM.

Thanks
Kent
0
Comment
Question by:fkoyer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
9 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36500572
I don't have a working example for 8.3 and later, but this is what the relevant parts looked like on 8.2:

access-list nat-194 extended permit ip 10.0.0.0 255.0.0.0 host 10.192.12.20
nat (inside) 2 access-list nat-194
global (outside) 2 10.194.66.42

access-list VPN extended permit ip host 10.194.66.42 host 10.192.12.20

crypto map outside_map 10 match address VPN
crypto map outside_map 10 set peer 1.2.3.4

There are other parts of the crypto config (ISAKMP, transform-set, etc.) that aren't shown.
0
 
LVL 1

Author Comment

by:fkoyer
ID: 36505513
I am on 8.2. I tried your suggestion but it is still not working. Maybe I did something wrong. Here are the commands I tried

access-list nat-194 extended permit ip host 192.168.0.11 host 10.50.106.41
nat (inside) 2 access-list nat-194
global (outside) 2 172.16.66.33
access-list VPN extended permit ip host 172.16.66.33 host 10.50.106.41

crypto map outside_map 4 match address VPN
crypto map outside_map 4 set pfs group5
crypto map outside_map 4 set peer Remote_WAN_IP
crypto map outside_map 4 set transform-set ESP-AES-256-SHA


When I ran the global command, I got this message
INFO: Global 172.16.66.33 will be Port Address Translated

But I don't want to translate the port addresses, just the IP addresses.

Any other ideas?

Thanks
Kent




0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36506050
The message you're seeing is standard when you translate to a single address.  It just means that the single address of 172.16.66.33 will be used (as opposed to a pool or range of addresses), and individual connections will be port-address translated to different ports (1024 to 65535) on that same IP address.  It's the same as would happen if you were NATing all your internal addresses to the single address on the outside interface, and the message is the same as you would see then.

What you did looks OK to me at first glance.  Let me try to re-state in English and you can tell me if what I'm describing is what you're actually trying to do.  You have a host 192.168.0.11 that needs to talk to destination 10.50.106.41.  But you need to NAT that communication so traffic arrives at the remote host showing a NATed source address of 172.16.66.33.  VPN encryption happens after translation, so the ACL for encryption shows the NATed address as the source of the traffic and the destination staying the same.  Sound correct?

Can you tell me what is not working? Are translations not happening (show xlate)?  Does the VPN tunnel not come up (have you sent interesting traffic?)?  Let me know more about what you're seeing and we can try to troubleshoot.
0
Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

 
LVL 1

Author Comment

by:fkoyer
ID: 36506334
What you've stated sounds correct. I would like to add that the remote host at 10.50.106.41 also needs to initiate connections to 172.16.66.33 which will be encrypted and then un-NAT'ed on our end so the traffic will be destined for 192.168.0.11. That is why I don't think the PAT translation will work unless there is a way to control which ports get mapped to which ports.

The VPN is not coming up. I've tried running a packet trace from within ADSM (Configuration > Firewall > NAT Rules > Packet Trace). It appears that the address translation is happening but then the traffic doesn't match the VPN access-list (or isn't begin checked after being NAT'ed). I am running a continuous ping from 192.168.0.11 to 10.50.106.41 to generate interesting traffic.

The output from show xlate is long because of lots of people surfing the Internet but I think this is the interesting bit:

Global 172.16.66.33 Local BSP-SQL

Where BSP-SQL is an alias for 192.168.0.11. Let me know what else you need.

Thanks
Kent
0
 
LVL 1

Accepted Solution

by:
fkoyer earned 0 total points
ID: 36540274
I was able to get a Cisco engineer on the phone. The solution is to create a static policy NAT like this:


access-list policy_nat extended permit ip host 192.168.0.11 host 10.50.106.41
static (inside,outside) 172.16.66.33 access-list policy_nat

The access-list for the VPN should reference the translated source IP address.

I hope this helps somebody else in the future.

0
 
LVL 1

Author Closing Comment

by:fkoyer
ID: 36558834
because I solved it with the help of a Cisco engineer.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question