04-13-2010 03:16 AM
Hello,
I was wondering if you can help me on the following scenario please?
I am tasked to setup Site-to-Site (both ends using Cisco ASA5520).
site A has a flat 10 address, 10.0.0.0 and site B has an address of 10.20.90.0
As this is overlapping address space I need to Translate the Interesting Traffic address to a different Subnet
So Interesting Traffic address coming from 10.0.0.0 will be translated to 192.168.67.0 and traffic coming from 10.20.90.0 will be
translated to 192.168.66.0
Once this is setup i need to do host to host mapping for about 12 machines.
Can you have a look over the below config and see if this is correct?
Also when i am configuring Site-to-Site do i have to bring up the tunnel at both ends before i configure the VPN Traffic?
access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
Thanks
Solved! Go to Solution.
04-14-2010 06:26 AM
Reply sent
04-13-2010 03:51 AM
Is your 10.0.0.0 subnet class A or class C? What is the subnet mask for the 10.0.0.0 network? If it is class C, it does not overlap with 10.20.90.0/24.
04-13-2010 03:53 AM
My 10.0.0.0 is a class A address.
Does my config look ok?
04-13-2010 03:58 AM
Base on your config, I assume you only want traffic to be encrypted from 10.0.0.0/24 subnet, right?
You also need the following static statement:
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
Here is the sample config for your reference:
PIX: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
IOS:http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
(The concept is the same, there is no sample config on ASA later version).
04-13-2010 04:04 AM
No, I need traffic encrypted from both ends.
the config that i posted was for site B.
I have followed the following document;
04-13-2010 04:15 AM
That config guide that you use only translate 1 site, not the other. And it is not an overlapping LAN scenario.
04-13-2010 04:30 AM
Overall what do i need to add to my config so i can get both sites to Translate?
04-13-2010 04:34 AM
As advised earlier, here is what you need to add:
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
04-13-2010 04:39 AM
Ok thanks, one more thing shall i remove the following statement or keep this in?
static (inside,outside) 192.168.66.0 access-list policy-nat
04-13-2010 04:50 AM
You need to keep that.
04-13-2010 04:53 AM
thanks for your help
Tahir
04-13-2010 05:37 AM
If you need translation on both sides - this is what you need:
SITE A:
access-list VPN_Traffic extended permit ip 192.168.67.0 255.255.255.0 192.168.66.0 255.255.255.0
access-list policy-nat extended permit ip 10.0.0.0 255.255.255.0 10.12.90.0 255.255.255.0
static (inside,outside) 192.168.67.0 access-list policy-nat
SITE B:
access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.12.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
04-13-2010 05:45 AM
Hi,
Do i have to add this following statement;
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
04-13-2010 05:48 AM
There are 2 ways you can configure it:
1) Source and destination NAT as per the initial configuration advise --> NAT only needs to be configured on 1 site
OR/
2) Source NAT as per droeun141 advise --> source NAT needs to be configured on both sites.
04-13-2010 06:03 AM
Cool, I didn't know there was more than one way to do it.
For source & destination NAT - what should the crypto ACL look like for SITE B? do you use the outside local or global address for destination?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide