Mike
asked on
Cisco ASA Site to Site VPN with NAT-PAT
Need help on configuring IPsec VPN site to site VPN Tunnel between two sites. But the requirement is that I have to NAT all my local subnet (e.g. 10.1.1.0/24) to single IP (e.g. 172.16.0.50/32) and send it through the tunnel for remote traffic (e.g. 10.2.2.0/24). Please see the attached diagram for details.
I am OK setting up IPsec Site-to-Site Tunnel using the wizard between local network 10.1.1.0/24 to remote network 10.2.2.0/24. But this specific remote site require we NAT all our local network to a single private IP and send it over the tunnel... as they will only accept traffic from this NATed single private IP (172.16.0.50/32) only.
Cisco ASA 8.x
Drawing1.PNG
I am OK setting up IPsec Site-to-Site Tunnel using the wizard between local network 10.1.1.0/24 to remote network 10.2.2.0/24. But this specific remote site require we NAT all our local network to a single private IP and send it over the tunnel... as they will only accept traffic from this NATed single private IP (172.16.0.50/32) only.
Cisco ASA 8.x
Drawing1.PNG
ASKER
I have to do similar setup at two different sites; ASA running version 8.3 and 9.0
I kind of got it working in the site that is running version 9.0
but 8.3 still and issue; would like to know the proper way of NAT on both 8.3 and 9.0 (if any difference) for VPN traffics would be helpful. Thx.
I kind of got it working in the site that is running version 9.0
but 8.3 still and issue; would like to know the proper way of NAT on both 8.3 and 9.0 (if any difference) for VPN traffics would be helpful. Thx.
8.3 and 9.0 are fundamentally the same.
Your [no]NAT statements probably look something like:
nat (inside,outside) source static LOCAL LOCAL destination static VPN VPN
nat (outside,inside) source static VPN VPN destination static LOCAL LOCAL
Which means do not NAT anything from LOCAL to VPN.
To NAT across the tunnel, you should have these statements:
object network NAT_VPN
host 172.16.0.50
object-group network LOCAL
network-object 10.1.1.0 255.255.255.0
object-group network VPN
network-object 10.2.2.0 255.255.255.0
nat (inside,outside) source static LOCAL NAT_VPN destination static VPN VPN
nat (outside,inside) source static VPN VPN destination static NAT_VPN LOCAL
And your access list identifying interesting crypto traffic should be between 10.2.2.0/24 and 172.16.0.50/32.
Your [no]NAT statements probably look something like:
nat (inside,outside) source static LOCAL LOCAL destination static VPN VPN
nat (outside,inside) source static VPN VPN destination static LOCAL LOCAL
Which means do not NAT anything from LOCAL to VPN.
To NAT across the tunnel, you should have these statements:
object network NAT_VPN
host 172.16.0.50
object-group network LOCAL
network-object 10.1.1.0 255.255.255.0
object-group network VPN
network-object 10.2.2.0 255.255.255.0
nat (inside,outside) source static LOCAL NAT_VPN destination static VPN VPN
nat (outside,inside) source static VPN VPN destination static NAT_VPN LOCAL
And your access list identifying interesting crypto traffic should be between 10.2.2.0/24 and 172.16.0.50/32.
ASKER
Thanks Jan!
This one (http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/) kind of helped me in the right direction to get the 9.0 works but 8.3 didn't worked for me..
Finally the following configuration currently working for me in 8.3. I didn’t use the “outside, inside” and needed to use the “no-nat” also. I am still trying to figure out why this works and would it break.... would you know why? Did I configured it wrong/right or it is working by fluke?
nat (inside,outside) source dynamic LOCAL NAT_VPN destination static VPN VPN
>> Source is set to dynamic not static
nat (outside,inside) source static VPN VPN destination static NAT_VPN LOCAL
>> Not using this (or not added)
nat (inside,outside) source static NAT_VPN NAT_VPN destination static VPN VPN
>> Keeping the no-NAT (between VPN & NAT_VPN)
access-list outside_##_cryptomap_1 extended permit ip object NAT_VPN object VPN
crypto map outside_map ## match address outside_18_cryptomap_1
crypto map outside_map ## set pfs group5
crypto map outside_map ## set peer 7.7.7.7
crypto map outside_map ## set transform-set ESP-AES-256-SHA
tunnel-group 7.7.7.7 type ipsec-l2l
tunnel-group 7.7.7.7 ipsec-attributes
pre-shared-key ********
This one (http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/) kind of helped me in the right direction to get the 9.0 works but 8.3 didn't worked for me..
Finally the following configuration currently working for me in 8.3. I didn’t use the “outside, inside” and needed to use the “no-nat” also. I am still trying to figure out why this works and would it break.... would you know why? Did I configured it wrong/right or it is working by fluke?
nat (inside,outside) source dynamic LOCAL NAT_VPN destination static VPN VPN
>> Source is set to dynamic not static
nat (outside,inside) source static VPN VPN destination static NAT_VPN LOCAL
>> Not using this (or not added)
nat (inside,outside) source static NAT_VPN NAT_VPN destination static VPN VPN
>> Keeping the no-NAT (between VPN & NAT_VPN)
access-list outside_##_cryptomap_1 extended permit ip object NAT_VPN object VPN
crypto map outside_map ## match address outside_18_cryptomap_1
crypto map outside_map ## set pfs group5
crypto map outside_map ## set peer 7.7.7.7
crypto map outside_map ## set transform-set ESP-AES-256-SHA
tunnel-group 7.7.7.7 type ipsec-l2l
tunnel-group 7.7.7.7 ipsec-attributes
pre-shared-key ********
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
There were huge NAT changes in 8.3.
What version are you running?