ASA Site to Site IPSec VPN question

Unanswered Question
Dec 12th, 2007
User Badges:

Hi all,


I have a question regarding IPSec site to site VPN.


There is an internal network, say 10.1.1.0/24 which NATs to global address 5.5.5.5 on the Outside interface. The remote network is 20.20.20.0/24


I want to NAT to the global address then send that over the tunnel.


Should the crypto map statement map the inside network 10.1.1.0/24 to the remote network 20.20.20.0/24 or should it map from the global NAT address 5.5.5.5?


Hope this is clear, thanks for any replies!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
husycisco Wed, 12/12/2007 - 02:47
User Badges:
  • Gold, 750 points or more

Cryptomap should include the global address (NATed), not inside network in your case


access-list outside_100_cryptomap permit ip host 5.5.5.5 20.20.20.0 255.255.255.0

husycisco Wed, 12/12/2007 - 03:22
User Badges:
  • Gold, 750 points or more

Hi George

Feel free to ask dependent questions. For example how do you plan Conditional exempt NAT?


Regards

george_daly Wed, 12/12/2007 - 03:49
User Badges:

Thanks :)


So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel?


Regarding the NAT - I already have exemptions specified from the internal network to the other internal address spaces through a NAT 0 access list if thats what you mean?


husycisco Wed, 12/12/2007 - 05:02
User Badges:
  • Gold, 750 points or more

My typo, I didnt mean exempt. Here is what I mean

You have a nat statement like following


nat (inside) 1 0 0

global (outside) 1 interface


or


nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface



Above statements wont let you NAT 10.1.1.0/24 to a 5.5.5.5 outside IP. You should have the following



access-list CNat permit ip 10.1.1.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (inside) 1 access-list CNat

nat (inside) 2 0 0

global (outside) 1 5.5.5.5 255.255.255.255

global (outside) 2 interface

access-list outside_100_cryptomap permit ip host 5.5.5.5 20.20.20.0 255.255.255.0


Make sure the statements in CNat and outside_100_cryptomap do not exist in your nat exempt rule


"So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel"

No. Your outside interface was peer for tunnel and still is. Your ASA outside to remote ASA outside. You should enable same security interface traffic, If you want to permit traffic from a VPN site, ends at outside interface, to a VPN site again which also ends at outside interface.



Regards

george_daly Wed, 12/12/2007 - 07:58
User Badges:

Thanks for your detailed reply, much appreciated.


I'm still not quite there, 10.1.1.0/24 doesn't NAT to 5.5.5.5 I think it just routes directly down the tunnel. This is the config I have currently:


access-list outside_cryptomap_20_1 permit ip host 5.5.5.5 20.20.20.0 255.255.255.0


access-list outside_nat0_inbound permit ip host 5.5.5.5 20.20.20.0 255.255.255.0


nat (inside) 0 access-list NONAT

nat (inside) 6 10.1.1.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_inbound outside

global (outside) 6 5.5.5.5


In which access-list do I need to permit 10.1.1.0/24 20.20.20.0/24, or is an additional access-list required?


pvaysberg Thu, 12/13/2007 - 10:25
User Badges:

I am also in the same boat. I need to setup a site-to-site VPN connection to a vendor. Because of some addressing conflicts I need to both the hosts that reside on my network and the hosts on the remote side. Is this something that is doable or should I have the vendor do part of the natting.

husycisco Fri, 12/14/2007 - 11:26
User Badges:
  • Gold, 750 points or more

Hi Paul

Just leave a post if you need assistance


Regards

husycisco Fri, 12/14/2007 - 11:23
User Badges:
  • Gold, 750 points or more

George please post your running config

nat (inside) 6 10.1.1.0 255.255.255.0

global (outside) 6 5.5.5.5


This config may prevent your internet access. So please post your config and let me advise



Actions

This Discussion