cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
291
Views
0
Helpful
1
Replies

need help with S2S VPN with static/NAT

rasmusan1
Level 1
Level 1

Hello

I need some help on configuring a VPN tunnel between 2 customer sites.

inside networks:

site1: 192.168.10.0 /24

site2: 10.10.14.0 /24

hosting network: 172.23.0.0 /24

Site1 has an MPLS connection to some hosting provider, which goes through a router that is on their 192.168.10.0 /24 subnet. The hosting provider will only allow IP adresses from the 192.168.10.0 /24 network to go through the MPLS to their hosting network.

However the situation now is, that we need Site2 to also be able to access the hosting network.

I need to configure a VPN tunnel from Site2 to Site1 with some kind of static NAT, that will allow Site2 to access the hosting network through the MPLS. Therefore the Site2 IP addresses (just a few) need to be translated in the VPN tunnel to some IP adresses that is available on Site1's subnet (192.168.10.0 /24).

The issue is of course that all has to handled at layer 2 on site1.

Site2 (the few hosts) still have to be able to communicate with devices on Site1 and Site1 still have to be able to communicate with the few hosts on Site2.

I have accomplished some of this, as I am now able to communicate from a single host on site2 (10.10.14.102 - NAT'ed 192.168.10.240) to the hosts on site1. However traffic initiated from Site1 to the host on Site2 (192.168.10.240 - real 10.10.14.102) does not work.

I really hope someone can help me with this. I have pasted the relevant configuration from both ASA's that have gotten me so far.

Site1:

access-list INSIDE_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.240

access-list RA_VPNNAT extended permit ip 192.168.10.0 255.255.255.0 host 192.168.10.240

static (INSIDE,INSIDE) 192.168.10.240 192.168.10.240 netmask 255.255.255.255

crypto map OUTSIDE_map 5 match address RA_VPNNAT

crypto map OUTSIDE_map 5 set pfs group5

crypto map OUTSIDE_map 5 set peer x.x.x.x

crypto map OUTSIDE_map 5 set transform-set ESP-AES-256-SHA

crypto map OUTSIDE_map 5 set security-association lifetime seconds 28800

crypto map OUTSIDE_map 5 set security-association lifetime kilobytes 4608000

Site2:

access-list VPNTEST extended permit ip host 192.168.10.240 192.168.10.0 255.255.255.0

access-list PNAT_1 extended permit ip host 10.10.14.102 192.168.10.0 255.255.255.0

static (inside,outside) 192.168.10.240 access-list PNAT_1

crypto map outside_map 9 match address VPNTEST

crypto map outside_map 9 set pfs group5

crypto map outside_map 9 set peer x.x.x.x

crypto map outside_map 9 set transform-set ESP-AES-256-SHA

crypto map outside_map 9 set security-association lifetime seconds 28800

crypto map outside_map 9 set security-association lifetime kilobytes 4608000

best regards...

1 Reply 1

rasmusan1
Level 1
Level 1

Hello

I actually solved this issue myself.

On Site1 I removed the static:

static (INSIDE,INSIDE) 192.168.10.240 192.168.10.240 netmask 255.255.255.255

And added the following static's:

static (inside,outside) 192.168.10.240 192.168.10.240 netmask 255.255.255.255

static (outside,inside) 192.168.10.240 192.168.10.240 netmask 255.255.255.255

hope others can use this information.

Best regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: