VPN L2L ASA with NAT

Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

Thank you.

Mike

It's not very complicated, just keep in mind that NAT is done before the encryption.

So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

You can use the address translated into your crypto-ACL:

REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

Sent by Cisco Support technique iPad App

Tags: Cisco Security

Similar Questions

  • VPN IPSec ASA with two ISP active

    Hi ALL!

    I have a question.

    So I have ASA with 9.2 (1) SW connected to ISP with active SLA.

    I need to configure redundant IPSec VPN via ISP2, while all other traffic must go through isps1. In case if one of the ISP goes down all including VPN traffic must be routed via ISP alive.

    I have configured SLA and it works.

    ciscoasa # display route performance
    Route 0.0.0.0 isps1 0.0.0.0 10.175.2.5 5 track 1
    Route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 excerpt 2

    Here we can see if isps1 and ISP2 are RISING, all traffic passes through isps1, but traffic intended for the remote peer IPSec 172.22.10.5 passes by ISP2.

    This configuration works just at the moment when isps1 or isp2 is down or if a static route for 172.22.10.5 deleted. Where two Internet service providers are increasing to ASA does not send the next remote IPSec datagrams.

    ciscoasa # display running nat
    NAT (inside, isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary
    NAT (inside isps1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec pmtu aging infinite - the security association
    card crypto cm_vpnc 10 correspondence address acl_vpn
    card crypto cm_vpnc 10 set pfs
    peer set card crypto cm_vpnc 10 172.22.10.5
    card crypto cm_vpnc 10 set transform-set ESP-AES-256-SHA ikev1
    86400 seconds, duration of life card crypto cm_vpnc 10 set - the security association
    card crypto cm_vpnc interface isps1
    cm_vpnc interface isp2 crypto card
    trustpool crypto ca policy
    isps1 enable ikev1 crypto
    isp2 enable ikev1 crypto
    IKEv1 crypto policy 1
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    ciscoasa # show ip
    System of IP addresses:
    Subnet mask IP address name interface method
    Vlan1 in 192.168.2.1 255.255.255.0 CONFIG
    Isps1 Vlan2 10.175.2.10 255.255.255.0 CONFIG
    Isp2 Vlan3 10.175.3.10 255.255.255.0 CONFIG

    The main question why?

    Thank you in advance,

    Anton

    Hi anton,.

    If you check the log message on your ASA R301-IS , he's trying to build the tunnel VPN with both IP and it receives packets of asymmetrically your distance ciscoasa.

    TO avoid this asymmetrical connection, point your IP from peers as primary & secondary on your R301-EAST

    set peer 10.175.3.10 10.175.2.10

    Delete the track on your routing entries

    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5

    This should work for you.

    Similalry lower your ISP 2, you should see VPN tunnel is mounted with isps1 one.

    HTH

    Sandy

  • Dynamic IP address of the remote VPN L2L ASA sites

    Hello

    I have a client who is to change their links to backup from ADSL to 4 G - LTE using Cisco 819 s.

    Unfortunately, access to 4G of PSI will have dynamic IP addressing. Online, I see configurations for one remote site with dynamic IP address, speaking to ASA, but I can't find anything on several sites of L2L linking to the ASA with dynamic addressing.

    Does anyone can help with examples of configuration

    concerning

    Richard

    Hi Richard,

    the next days I will also write a blogpost with triple recovery WAN by using this configuration.

    Michael

  • Go simple configuration of vpn L2L comply with security requirements

    Hello

    I have successfully install a L2L connection (5510, 7.2) and a 3rd party (SonicWall).

    Security requirements are such that (contractors) to our office users to connect to various devices to the 3rd party, BUT nothing to the 3rd party must connect to what be it at our office.

    I tried an outbound ACL (access-group L2L-RESTRICT the interface inside) inside the interface. But the funny thing is that I'm getting hits on the declarations of refusal on the ACL, although tests show no problems for you connect to multiple hosts to our site of the 3rd party. My ACL config looks like the following:

    <..snip..>

    Note to L2L-RESTRICT access-list * ATTENTION * WITH CAUTION - RESTRICTIONS ON the 3rd PARTY VPN L2L

    L2L-RESTRICT access-list scope allow icmp 192.168.16.0 255.255.255.0 10.180.21.0 255.255.255.0 echo-reply

    deny access list L2L-RESTRICT the scope ip 192.168.16.0 255.255.255.0 no matter what newspaper

    Note to L2L-RESTRICT access-list > NOTE< last="" line="" *must*="" be="" permit="" any="">

    L2L-RESTRICT access-list scope ip allow a whole

    !

    L2L-RESTRICT the interface inside access-group

    <..snip..>

    Their network is obviously 192.168.16.x and they won't be able to use a vlan from different source as "interesting traffic" ACL won't allow it. So that sounds good in theory

    I have it configured correctly? Is there a better way?

    Thanks in advance,

    Mike

    Mike,

    It seems that you might be able to assign a VPN ACL filter via a group assigned to each tunnel L2L policy. I have never done this personally before, but looks like it would work...

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configs

  • Design of VPN L2L ASA question

    We expect to have more than 10,000 remote VPN L2L clients.

    I see that each crypto card needs a statement of 'same game' and the IP address is the address of the remote peer VPN L2L.

    :

    EX:

    card encryption UNI-POP 3 set peer 172.23.0.3

    : . . .

    card crypto UNI-POP 10000 set peer 172.26.0.250

    :

    I already feel that this will be a VERY long config, maybe too big to save/read/from memory.

    :

    Anyone would be a better approach?

    Thank you

    Frank

    Frank,

    If the remote end will run only from time to time, you should not have set peer statements and normally it would suffice to have a dynamic encryption card.

    If the remote ends do not support certificates, it is possible to land on defaultl2l tunnel-group.

    bsns-asa5505-19# sh run all tunnel-group
    

    tunnel-group DefaultL2LGroup type ipsec-l2l
    

    tunnel-group DefaultL2LGroup general-attributes
    

    (...)

    You need to test yourself to see if it will work.

    I also agree in terms of more than one firewall. With devices for two in the load balancing or if possible 2pairs of devices in the failover cluster could be great way to have a decent charge by machine and equipment redundancy (ideal circumstances]);. I suggest you ping your system engineer for sure any deployment involving 5585, guys can usually give good advice (and discounts;]).

    Marcin

  • L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

    Hi all

    My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

    I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

    company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

    where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

    I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

    ! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
    crypto ISAKMP policy 5
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    lifetime 28800
    isakmp encryption key * address no.-xauth y.y.y.y

    ! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
    crymap extended IP access list
    IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
    Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
    card crypto 1 TUNNEL VPN ipsec-isakmp
    defined peer y.y.y.y
    game of transformation-ESP-3DES-SHA
    match the address crymap

    Gi0/2 interface
    card crypto VPN TUNNEL

    Hello

    debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

    What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

    So I suggest:

    no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

    Then try tunnel initiate.

    Kind regards

    Jan

  • LT2P configuration vpn cisco asa with the internet machine windows/mac issue

    Dear all,

    I have properly configured configuration vpn L2TP on asa 5510 with 8.0 (4) version of IOS.

    My internet does not work when I connect using the vpn. Even if I give power of attorney or dns or I remove the proxy

    It does not work. only the resources behind the firewall, I can access. I use the extended access list

    I tried also with the standard access list.

    Please please suggest what error might be.

    Thank you

    JV

    Split for L2TP over IPSec tunnel tunnel is not configured on the head end (ASA), it must be configured on the client itself, in accordance with the following Microsoft article:

    http://TechNet.Microsoft.com/en-us/library/bb878117.aspx

  • VPN IPSEC ASA with overlap proxy-ID

    All,

    Currently I have a VPN from a single network ASA spoke to a single hub of AAS, so I set up my access lists so that the source is specific to speak it (for example 192.168.1.0/24) and I use the word "any" key for destination.  I need to add a few more VPN connections, so can I just add lower inside specific networks to any instruction in the card encryption.  See below.

    outside_10_cryptomap list extended access allowed object-group home-networks-networks another ip

    outside_20_cryptomap list of allowed ip extended access object-group network inside everything

    card crypto outside_map 10 correspondence address outside_10_cryptomap

    card crypto outside_map 10 set peer 1.1.1.1

    outside_map card crypto 10 the transform-set ESP-3DES-MD5 value

    card crypto outside_map 20 match address outside_20_cryptomap

    card crypto outside_map 20 peers set 2.2.2.2

    outside_map card crypto 20 the transform-set ESP-3DES-MD5 value

    Gregory

    Now I come to think of it, I remember a problem with less specific entries in the ACL before more specific entries.

    So it should work, but you must make sure that the most specific comes before the less specific that you seem to have done with your config.

    Jon

  • VPN using ip with NAT outside

    I am trying to configure a tunnel linking our Cisco 5520 with a 5550 using one of our external ips through that tunnel natted. For some reason any traffic that should knock this tunnel through global NAT. Here are the configs I have for this tunnel:

    access list policy-nat extended permit ip host 66.77.88.170 1.2.3.4

    Outside_cryptomap_60 list extended access allowed inside-network host 255.255.254.0 ip 1.2.3.4

    permit Outside_cryptomap_60 to access extended list ip host 66.85.99.170 1.2.3.4

    Global (1 66.77.88.135 255.255.255.192 subnet mask outside)

    public static 66.77.88.170 (inside, outside) - list of access policy-nat

    Crypto ipsec transform-set esp-3des esp-md5-hmac TRANSFORM_SET

    crypto Outside_map 60 card matches the address Outside_cryptomap_60

    card crypto Outside_map 60 set peer 200.200.200.200

    card crypto Outside_map 60 the transform-set TRANSFORM_SET value

    tunnel-group 200.200.200.200 type ipsec-l2l

    tunnel-group 200.200.200.200 General attributes

    Group Policy - by default-site2site

    IPSec-attributes tunnel-group 200.200.200.200

    pre-shared key *.

    If I ping 1.2.3.4 from an inside host ip I see in the newspapers that he uses 66.77.88.136 as the NAT and not of 66.77.88.170. Do you see something wrong with this configuration?

    You have fundamentally wrong ACL in the wrong places.

    It should be as follows--->

    crypto Outside_map 60 card matches the address policy-nat

    card crypto Outside_map 60 set peer 200.200.200.200

    card crypto Outside_map 60 the transform-set TRANSFORM_SET value

    access list policy-nat extended permit ip host 66.77.88.170 1.2.3.4

    public static 66.77.88.170 (inside, outside) - Outside_cryptomap_60 access list

    Outside_cryptomap_60 list extended access allowed inside-network ip 255.255.254.0 host 1.2.3.4---> this acl has no need of the 2nd line, you have

  • VPN IPSEC ASA with counterpart with dynamic IP and certificates

    Hello!

    Someone please give me config the work of the ASA for ASA Site to Site IPSEC VPN with counterpart with dynamic IP and authentication certificates.

    He works with PSK authentication. But the connection landed at DefaultRAGroup instead of DefaultL2LGroup with certificate

    authentication.

    Should what special config I ask a DefaultRAGroup to activate the connection?

    Thank you!

    The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot.

    In general I would suggest using option "cert."

    With nocheck, we are simply not strict on IKE ID matchin the certificate, which is normally not a problem of security :-)

  • IPSec VPN between ASAs with same subnet for disaster recovery

    Hello

    I need some clarification from you guys.

    To do disaster EasyVPN tunnels for the Cisco ASA 5505 firewall recovery site. Now, there is only one main site and 3 remote sites.

    Dr., must use the same subnet that it is on the main site because virtual machines Vmware will be replicated to DR.

    For the DR we use Double-Take software.

    What is the best solution for this? I think we could use NAT of Destination on ASAs. Other sites (HQ and remote control) will be directed to only address NAT of the

    DR and not real which is the same as on the main site.

    So guys, will this work? We are using IPSec VPN? In packet - trace on ASA, I see that the package is the first using a NAT, and then encrypted, so it should work, Yes?

    I hope someone can confirm this.

    I can confirm that this will work certainly,

    for prior type natting see 8.3:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080b37d0b.shtml#diag

    for 8.3 and later it is also achievable.

  • MS CA for VPN L2L ASA

    What type of certifcates I should issueing bee in my ASA.

    Now I'm issueing IPSEC (offline) and I don't know if it's the right kind.

    I have ICP work for mobile users. simply not L2L

    Yes,

    Which can cause failure.

    Put command

    "ignore-ipsec-keyusage" under the CompanyTrustPoint

    That should solve.

  • VPN to ASA with ISE and Posture

    Hello

    I'll put up a new facility of ISE. I want to install AnyConnect 4.1 and use ISE for authentication & posture validation. I'm ok with the side of the authentication of things.

    http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...

    This configuration applies to time AnyConnect 3.1 & 4.x?

    Any help would be appreciated.

    Thank you

    Hi Stuart,

    Yes - this configuration applies as well to the AC3 and AC4.

    The new feature of AC4 is available directly from ISE ability:

    http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...

    But the posture itself works in a similar way.

    Thank you

    Michal

  • Spend 3000 Concentrator VPN L2L ASA

    Hello

    We migrate an ASA5500 450 LAN to LAN VPN a VPN concentrator. Is there a reasonable way to do it? If I remember correctly, the configuration file for the VPN concentrator is in XML is not trivial to even read the config for each VPN. If it took say 15 minutes a VPN which is estimated at about three weeks of the working man!

    Patrick,

    I hope the post below helps.

    http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=virtual%20Private%20Networks&topic=security&TopicId=.ee6b2b8&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc1b2c5/6#selected_message

    Kind regards

    Arul

    * Please note all useful messages *.

  • Policy NAT for VPN L2L

    Summary:

    We strive to establish a two-way VPN L2L tunnel with a partner. VPN traffic is one-to-many towards our partner, and our partner they need of a many-to-one to us (they need to access a host on our network). In addition, our partner has many VPN, so they force us to use a separate NAT with two private hosts addresses, one for each direction of the tunnel.

    My initial configuration of the tunnel on my grown up side of Phase 1, but not IPSec. Partner ran debug that revealed that my host did not address NAT'd in the NAT policy. We use an ASA5520, ver 7.0.

    Here is the config:

    # #List of OUR guests

    the OURHosts object-group network

    network-host 192.168.x.y object

    # Hosts PARTNER #List

    the PARTNERHosts object-group network

    network-host 10.2.a.b object

    ###ACL for NAT

    # Many - to - many outgoing

    access-list extended NAT2 allowed ip object-group OURHosts-group of objects PARTNERHosts

    # One - to - many incoming

    VIH3 list extended access permit ip host 192.168.c.d PARTNERHosts object-group

    # #NAT

    NAT (INSIDE) 2-list of access NAT2

    NAT (OUTSIDE) 2 172.20.n.0

    NAT (INSIDE) 3 access-list VIH3

    NAT (OUTSIDE) 3 172.20.n.1

    # #ACL for VPN

    access list permits extended VPN ip object-group objects PARTNERHosts OURHosts-group

    access allowed extended VPN ip host 192.168.c.d PARTNERHosts object-group list

    # #Tunnel

    tunnel-group type ipsec-l2l

    card <#>crypto is the VPN address

    card crypto <#>the value transform-set VPN

    card <#>crypto defined peer

    I realize that the ACL for the VPN should read:

    access allowed extended VPN ip host 172.20.n.0 PARTNERHosts object-group list

    access allowed extended VPN ip host 172.20.n.1 PARTNERHosts object-group list

    .. . If the NAT was working properly, but when this ACL is used, Phase 1 is not even negotiating, so I know the NAT is never translated.

    What am I missing to NAT guests for 172.20 addresses host trying to access their internal addresses via the VPN?

    Thanks in advance.

    Patrick

    Here is the order of operations for NAT on the firewall:

    1 nat 0-list of access (free from nat)

    2. match the existing xlates

    3. match the static controls

    a. static NAT with no access list

    b. static PAT with no access list

    4. match orders nat

    a. nat [id] access-list (first match)

    b. nat [id] [address] [mask] (best match)

    i. If the ID is 0, create an xlate identity

    II. use global pool for dynamic NAT

    III. use global dynamic pool for PAT

    If you can try

    (1) a static NAT with an access list that will have priority on instruction of dynamic NAT

    (2) as you can see on 4A it uses first match with NAT and access list so theoretically Exchange autour should do the trick.

    I don't see any negative consequences? -Well Yes, you could lose all connectivity. I don't think that will happen, but I can't promise if you do absolutely not this after-hours.

    Jon

Maybe you are looking for