Solved

Cisco ASA VPN with address translation

Posted on 2011-09-07
9
530 Views
Last Modified: 2012-05-12
We have a Cisco ASA 5505 Security Appliance. We are trying to setup a Site-to-site VPN with another company. Normally this wouldn't be a problem but the LAN Subnet that we are using conflicts with another one of their VPN's so we have to translate our server's IP address to a different address before sending it over the VPN. I have tried setting up a static policy NAT to do the trick but the VPN is not coming up. Here is the info:

Our ASA's LAN IP: 192.168.0.1
Our Server they need to access: 192.168.0.11
The IP they want us to translate to: 172.16.66.33
The IP address of their server: 10.50.106.41

We don't have a problem connecting to their subnet but they cannot connect to our 192.168.0.0/24 subnet because it overlaps with another one of their clients. So we just need to translate 192.168.0.11 to 172.16.66.33 on our side of the VPN.

I hope that makes sense. Can someone provide a working example? We can use the CLI or ADSM.

Thanks
Kent
0
Comment
Question by:fkoyer
  • 4
  • 2
9 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36500572
I don't have a working example for 8.3 and later, but this is what the relevant parts looked like on 8.2:

access-list nat-194 extended permit ip 10.0.0.0 255.0.0.0 host 10.192.12.20
nat (inside) 2 access-list nat-194
global (outside) 2 10.194.66.42

access-list VPN extended permit ip host 10.194.66.42 host 10.192.12.20

crypto map outside_map 10 match address VPN
crypto map outside_map 10 set peer 1.2.3.4

There are other parts of the crypto config (ISAKMP, transform-set, etc.) that aren't shown.
0
 
LVL 1

Author Comment

by:fkoyer
ID: 36505513
I am on 8.2. I tried your suggestion but it is still not working. Maybe I did something wrong. Here are the commands I tried

access-list nat-194 extended permit ip host 192.168.0.11 host 10.50.106.41
nat (inside) 2 access-list nat-194
global (outside) 2 172.16.66.33
access-list VPN extended permit ip host 172.16.66.33 host 10.50.106.41

crypto map outside_map 4 match address VPN
crypto map outside_map 4 set pfs group5
crypto map outside_map 4 set peer Remote_WAN_IP
crypto map outside_map 4 set transform-set ESP-AES-256-SHA


When I ran the global command, I got this message
INFO: Global 172.16.66.33 will be Port Address Translated

But I don't want to translate the port addresses, just the IP addresses.

Any other ideas?

Thanks
Kent




0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36506050
The message you're seeing is standard when you translate to a single address.  It just means that the single address of 172.16.66.33 will be used (as opposed to a pool or range of addresses), and individual connections will be port-address translated to different ports (1024 to 65535) on that same IP address.  It's the same as would happen if you were NATing all your internal addresses to the single address on the outside interface, and the message is the same as you would see then.

What you did looks OK to me at first glance.  Let me try to re-state in English and you can tell me if what I'm describing is what you're actually trying to do.  You have a host 192.168.0.11 that needs to talk to destination 10.50.106.41.  But you need to NAT that communication so traffic arrives at the remote host showing a NATed source address of 172.16.66.33.  VPN encryption happens after translation, so the ACL for encryption shows the NATed address as the source of the traffic and the destination staying the same.  Sound correct?

Can you tell me what is not working? Are translations not happening (show xlate)?  Does the VPN tunnel not come up (have you sent interesting traffic?)?  Let me know more about what you're seeing and we can try to troubleshoot.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:fkoyer
ID: 36506334
What you've stated sounds correct. I would like to add that the remote host at 10.50.106.41 also needs to initiate connections to 172.16.66.33 which will be encrypted and then un-NAT'ed on our end so the traffic will be destined for 192.168.0.11. That is why I don't think the PAT translation will work unless there is a way to control which ports get mapped to which ports.

The VPN is not coming up. I've tried running a packet trace from within ADSM (Configuration > Firewall > NAT Rules > Packet Trace). It appears that the address translation is happening but then the traffic doesn't match the VPN access-list (or isn't begin checked after being NAT'ed). I am running a continuous ping from 192.168.0.11 to 10.50.106.41 to generate interesting traffic.

The output from show xlate is long because of lots of people surfing the Internet but I think this is the interesting bit:

Global 172.16.66.33 Local BSP-SQL

Where BSP-SQL is an alias for 192.168.0.11. Let me know what else you need.

Thanks
Kent
0
 
LVL 1

Accepted Solution

by:
fkoyer earned 0 total points
ID: 36540274
I was able to get a Cisco engineer on the phone. The solution is to create a static policy NAT like this:


access-list policy_nat extended permit ip host 192.168.0.11 host 10.50.106.41
static (inside,outside) 172.16.66.33 access-list policy_nat

The access-list for the VPN should reference the translated source IP address.

I hope this helps somebody else in the future.

0
 
LVL 1

Author Closing Comment

by:fkoyer
ID: 36558834
because I solved it with the help of a Cisco engineer.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now