cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
656
Views
7
Helpful
4
Replies

ASA VPN wizard: Site to site Ipsec

Kjetil Fleten
Level 1
Level 1

I am configuring a site to site VPN using ASDM and the VPN wizard. The local lan is 192.168.1.0 and so is the remote LAN.

Should I use "Exempt ASA side host/network from address translation" at the inside of the ASA's or not ?

How can I make arp requests pass through the tunnel ?

regards

Kjetil

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Hi Kjetil

I don't use asdm but the CLI but either way if the networks are the same at either end then you cannot do NAT exemption or the traffic would never go through the tunnel ie.

host 192.168.1.10 wants to send data to host 192.168.1.20 at the remote site but of course because 192.168.1.20 is part of the same subnet then the host 192.168.1.10 arps out locally.

You would need to NAT both networks to be something else so that they can connect to each other

ie 192.168.1.0/24 at site A could be presented as 172.16.1.0/24 at site B

192.168.1.0/24 AT site B could be presented as 172.16.2.0/24 at site A.

HTH

Jon

I'm sure NAT'ing both networks to something else is the right solution. Unfortunately, I'm a bit unsure about how to configure this. Here is my try (not working):

ASA1:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.4 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 80.160.1.1 255.255.255.0

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 172.16.1.0 netmask 255.255.255.0

nat (inside) 2 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 80.160.1.2

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 80.160.1.0 type ipsec-l2l

tunnel-group 80.160.1.0 ipsec-attributes

pre-shared-key *

ASA2:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.3 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 80.160.1.2 255.255.255.0

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 172.16.2.0 netmask 255.255.255.0

nat (inside) 2 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 80.160.1.1

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 80.160.1.0 type ipsec-l2l

tunnel-group 80.160.1.0 ipsec-attributes

pre-shared-key *

What is wrong ?

Kjetil

Kjetil

Firstly, are you sure you want to NAT 192.168.1.0 to 172.16.1.0 for all traffic that the 192.168.1.0 hosts are going to ?.

If you only want to NAT 192.168.1.0 hosts to 172.16.1.0 when you are going down the VPN tunnel then you need to use policy NAT eg.

access-list pnat permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0

nat (inside) 2 access-list pnat

What this does is to NAT 192.168.1.x hosts to 172.16.1.x hosts when the remote destination is a 172.16.2.x host. If a 192.168.1.x host wants to go out to the internet your "nat (inside) 1 0.0.0.0 0.0.0.0" will be used which is probably what you want.

Anyway apart from that your crypto access-lists need modifying as the NAT happens before the encryption so

ASA1

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

should be changed to:

access-list outside_20_cryptomap extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

ASA2

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

should be changed to

access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

Try this and let me know how you get on

Jon

Thanks Jon,

I'm feeling we are getting somewere now :-)

Unfortunately the VPN still not work. I have changed ASA1 to:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.4 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 80.160.1.1 255.255.255.0

access-list outside_20_cryptomap extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list pnat extended permit ip 192.168.1.0 255.255.255.0 172.16.2.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 172.16.1.0 netmask 255.255.255.0

nat (inside) 2 access-list pnat

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 80.160.1.2

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 80.160.1.0 type ipsec-l2l

tunnel-group 80.160.1.0 ipsec-attributes

pre-shared-key *

ASA2:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.3 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 80.160.1.2 255.255.255.0

access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list pnat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

global (outside) 1 interface

global (outside) 2 172.16.2.0 netmask 255.255.255.0

nat (inside) 2 access-list pnat

nat (inside) 1 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 80.160.1.1

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 80.160.1.0 type ipsec-l2l

tunnel-group 80.160.1.0 ipsec-attributes

pre-shared-key *

Should the "global (outside) 2" -line still be there ?

Kjetil

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: