need help with S2S VPN with static/NAT

Unanswered Question
Sep 21st, 2009

Hello

I need some help on configuring a VPN tunnel between 2 customer sites.

inside networks:

site1: 192.168.10.0 /24

site2: 10.10.14.0 /24

hosting network: 172.23.0.0 /24

Site1 has an MPLS connection to some hosting provider, which goes through a router that is on their 192.168.10.0 /24 subnet. The hosting provider will only allow IP adresses from the 192.168.10.0 /24 network to go through the MPLS to their hosting network.

However the situation now is, that we need Site2 to also be able to access the hosting network.

I need to configure a VPN tunnel from Site2 to Site1 with some kind of static NAT, that will allow Site2 to access the hosting network through the MPLS. Therefore the Site2 IP addresses (just a few) need to be translated in the VPN tunnel to some IP adresses that is available on Site1's subnet (192.168.10.0 /24).

The issue is of course that all has to handled at layer 2 on site1.

Site2 (the few hosts) still have to be able to communicate with devices on Site1 and Site1 still have to be able to communicate with the few hosts on Site2.

I have accomplished some of this, as I am now able to communicate from a single host on site2 (10.10.14.102 - NAT'ed 192.168.10.240) to the hosts on site1. However traffic initiated from Site1 to the host on Site2 (192.168.10.240 - real 10.10.14.102) does not work.

I really hope someone can help me with this. I have pasted the relevant configuration from both ASA's that have gotten me so far.

Site1:

access-list INSIDE_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.240

access-list RA_VPNNAT extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.240

static (INSIDE,INSIDE) 192.168.10.240 192.168.10.240 netmask 255.255.255.255

crypto map OUTSIDE_map 5 match address RA_VPNNAT

crypto map OUTSIDE_map 5 set pfs group5

crypto map OUTSIDE_map 5 set peer x.x.x.x

crypto map OUTSIDE_map 5 set transform-set ESP-AES-256-SHA

crypto map OUTSIDE_map 5 set security-association lifetime seconds 28800

crypto map OUTSIDE_map 5 set security-association lifetime kilobytes 4608000

Site2:

access-list VPNTEST extended permit ip host 192.168.10.240 192.168.10.0 255.255.255.0

access-list PNAT_1 extended permit ip host 10.10.14.102 192.168.10.0 255.255.255.0

static (inside,outside) 192.168.10.240 access-list PNAT_1

crypto map outside_map 9 match address VPNTEST

crypto map outside_map 9 set pfs group5

crypto map outside_map 9 set peer x.x.x.x

crypto map outside_map 9 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 set security-association lifetime seconds 28800

crypto map outside_map 9 set security-association lifetime kilobytes 4608000

best regards...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rasmusan1 Tue, 09/22/2009 - 05:09

Hello

I actually solved this issue myself.

On Site1 I removed the static:

static (INSIDE,INSIDE) 192.168.10.240 192.168.10.240 netmask 255.255.255.255

And added the following static's:

static (inside,outside) 192.168.10.240 192.168.10.240 netmask 255.255.255.255

static (outside,inside) 192.168.10.240 192.168.10.240 netmask 255.255.255.255

hope others can use this information.

Best regards

Actions

This Discussion