ASA Site to Site IPSec VPN question

george_daly · ‎12-12-2007

Hi all,

I have a question regarding IPSec site to site VPN.

There is an internal network, say 10.1.1.0/24 which NATs to global address 5.5.5.5 on the Outside interface. The remote network is 20.20.20.0/24

I want to NAT to the global address then send that over the tunnel.

Should the crypto map statement map the inside network 10.1.1.0/24 to the remote network 20.20.20.0/24 or should it map from the global NAT address 5.5.5.5?

Hope this is clear, thanks for any replies!

husycisco · ‎12-12-2007

Cryptomap should include the global address (NATed), not inside network in your case

access-list outside_100_cryptomap permit ip host 5.5.5.5 20.20.20.0 255.255.255.0

husycisco · ‎12-12-2007

Hi George

Feel free to ask dependent questions. For example how do you plan Conditional exempt NAT?

Regards

george_daly · ‎12-12-2007

Thanks :)

So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel?

Regarding the NAT - I already have exemptions specified from the internal network to the other internal address spaces through a NAT 0 access list if thats what you mean?

husycisco · ‎12-12-2007

My typo, I didnt mean exempt. Here is what I mean

You have a nat statement like following

nat (inside) 1 0 0

global (outside) 1 interface

or

nat (inside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

Above statements wont let you NAT 10.1.1.0/24 to a 5.5.5.5 outside IP. You should have the following

access-list CNat permit ip 10.1.1.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (inside) 1 access-list CNat

nat (inside) 2 0 0

global (outside) 1 5.5.5.5 255.255.255.255

global (outside) 2 interface

access-list outside_100_cryptomap permit ip host 5.5.5.5 20.20.20.0 255.255.255.0

Make sure the statements in CNat and outside_100_cryptomap do not exist in your nat exempt rule

"So I need to enable the option to allow communication between VPN peers connected to the same interface because this is an Outside to Outside tunnel"

No. Your outside interface was peer for tunnel and still is. Your ASA outside to remote ASA outside. You should enable same security interface traffic, If you want to permit traffic from a VPN site, ends at outside interface, to a VPN site again which also ends at outside interface.

Regards

george_daly · ‎12-12-2007

Thanks for your detailed reply, much appreciated.

I'm still not quite there, 10.1.1.0/24 doesn't NAT to 5.5.5.5 I think it just routes directly down the tunnel. This is the config I have currently:

access-list outside_cryptomap_20_1 permit ip host 5.5.5.5 20.20.20.0 255.255.255.0

access-list outside_nat0_inbound permit ip host 5.5.5.5 20.20.20.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (inside) 6 10.1.1.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_inbound outside

global (outside) 6 5.5.5.5

In which access-list do I need to permit 10.1.1.0/24 20.20.20.0/24, or is an additional access-list required?

pvaysberg · ‎12-13-2007

I am also in the same boat. I need to setup a site-to-site VPN connection to a vendor. Because of some addressing conflicts I need to both the hosts that reside on my network and the hosts on the remote side. Is this something that is doable or should I have the vendor do part of the natting.

pvaysberg · ‎12-14-2007

I found two great docs on this from cisco's site. Finally got my stuff working.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

and

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

husycisco · ‎12-14-2007

Hi Paul

Just leave a post if you need assistance

Regards

husycisco · ‎12-14-2007

George please post your running config

nat (inside) 6 10.1.1.0 255.255.255.0

global (outside) 6 5.5.5.5

This config may prevent your internet access. So please post your config and let me advise