07-02-2007 03:26 AM - edited 02-21-2020 03:08 PM
I am configuring a site to site VPN using ASDM and the VPN wizard. The local lan is 192.168.1.0 and so is the remote LAN.
Should I use "Exempt ASA side host/network from address translation" at the inside of the ASA's or not ?
How can I make arp requests pass through the tunnel ?
regards
Kjetil
07-02-2007 04:04 AM
Hi Kjetil
I don't use asdm but the CLI but either way if the networks are the same at either end then you cannot do NAT exemption or the traffic would never go through the tunnel ie.
host 192.168.1.10 wants to send data to host 192.168.1.20 at the remote site but of course because 192.168.1.20 is part of the same subnet then the host 192.168.1.10 arps out locally.
You would need to NAT both networks to be something else so that they can connect to each other
ie 192.168.1.0/24 at site A could be presented as 172.16.1.0/24 at site B
192.168.1.0/24 AT site B could be presented as 172.16.2.0/24 at site A.
HTH
Jon
07-02-2007 05:41 AM
I'm sure NAT'ing both networks to something else is the right solution. Unfortunately, I'm a bit unsure about how to configure this. Here is my try (not working):
ASA1:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.4 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 80.160.1.1 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 172.16.1.0 netmask 255.255.255.0
nat (inside) 2 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 80.160.1.2
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 80.160.1.0 type ipsec-l2l
tunnel-group 80.160.1.0 ipsec-attributes
pre-shared-key *
ASA2:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 80.160.1.2 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 172.16.2.0 netmask 255.255.255.0
nat (inside) 2 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 80.160.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 80.160.1.0 type ipsec-l2l
tunnel-group 80.160.1.0 ipsec-attributes
pre-shared-key *
What is wrong ?
Kjetil
07-02-2007 11:13 AM
Kjetil
Firstly, are you sure you want to NAT 192.168.1.0 to 172.16.1.0 for all traffic that the 192.168.1.0 hosts are going to ?.
If you only want to NAT 192.168.1.0 hosts to 172.16.1.0 when you are going down the VPN tunnel then you need to use policy NAT eg.
access-list pnat permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0
nat (inside) 2 access-list pnat
What this does is to NAT 192.168.1.x hosts to 172.16.1.x hosts when the remote destination is a 172.16.2.x host. If a 192.168.1.x host wants to go out to the internet your "nat (inside) 1 0.0.0.0 0.0.0.0" will be used which is probably what you want.
Anyway apart from that your crypto access-lists need modifying as the NAT happens before the encryption so
ASA1
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
should be changed to:
access-list outside_20_cryptomap extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
ASA2
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
should be changed to
access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
Try this and let me know how you get on
Jon
07-02-2007 10:31 PM
Thanks Jon,
I'm feeling we are getting somewere now :-)
Unfortunately the VPN still not work. I have changed ASA1 to:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.4 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 80.160.1.1 255.255.255.0
access-list outside_20_cryptomap extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list pnat extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 172.16.1.0 netmask 255.255.255.0
nat (inside) 2 access-list pnat
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 80.160.1.2
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 80.160.1.0 type ipsec-l2l
tunnel-group 80.160.1.0 ipsec-attributes
pre-shared-key *
ASA2:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 80.160.1.2 255.255.255.0
access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list pnat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
global (outside) 1 interface
global (outside) 2 172.16.2.0 netmask 255.255.255.0
nat (inside) 2 access-list pnat
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 80.160.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 80.160.1.0 type ipsec-l2l
tunnel-group 80.160.1.0 ipsec-attributes
pre-shared-key *
Should the "global (outside) 2" -line still be there ?
Kjetil
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: