cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1455
Views
10
Helpful
39
Replies

Help with PAT VPN Traffic

tahirs001
Level 1
Level 1

Hello,


I was wondering if you can help me on the following scenario please?
I am tasked to setup Site-to-Site (both ends using Cisco ASA5520).
site A has a  flat 10 address, 10.0.0.0 and site B has an address of 10.20.90.0
As this is overlapping address space I need to Translate the Interesting Traffic address to a different Subnet
So Interesting Traffic address coming from 10.0.0.0 will be translated to 192.168.67.0 and traffic coming from 10.20.90.0 will be
translated to 192.168.66.0
Once this is setup i need to do host to host mapping for about 12 machines.
Can you  have a look over the below config and see if this is correct?


Also when i am configuring Site-to-Site do i have to bring up the tunnel at both ends before i configure the VPN Traffic?

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Thanks

1 Accepted Solution

Accepted Solutions
39 Replies 39

Jennifer Halim
Cisco Employee
Cisco Employee

Is your 10.0.0.0 subnet class A or class C? What is the subnet mask for the 10.0.0.0 network? If it is class C, it does not overlap with 10.20.90.0/24.

My 10.0.0.0 is a class A address.

Does my config look ok?

Base on your config, I assume you only want traffic to be encrypted from 10.0.0.0/24 subnet, right?

You also need the following static statement:

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

Here is the sample config for your reference:

PIX: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

IOS:http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

(The concept is the same, there is no sample config on ASA later version).

No, I need traffic encrypted from both ends.

the config that i posted was for site B.

I have followed the following document;

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

That config guide that you use only translate 1 site, not the other. And it is not an overlapping LAN scenario.

Overall what do i need to add to my config so i can get both sites to Translate?

As advised earlier, here is what you need to add:

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

Ok thanks, one more thing shall i remove the following statement or keep this in?

static (inside,outside) 192.168.66.0  access-list policy-nat

You need to keep that.

thanks for your help

Tahir

If you need translation on both sides - this is what you need:

SITE A:

access-list VPN_Traffic extended permit ip 192.168.67.0 255.255.255.0 192.168.66.0 255.255.255.0
access-list policy-nat extended permit ip 10.0.0.0 255.255.255.0 10.12.90.0 255.255.255.0
static (inside,outside) 192.168.67.0 access-list policy-nat


SITE B:

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.12.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat

Hi,

Do i have to add this following statement;

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

There are 2 ways you can configure it:

1) Source and destination NAT as per the initial configuration advise --> NAT only needs to be configured on 1 site

OR/

2) Source NAT as per droeun141 advise --> source NAT needs to be configured on both sites.

Cool, I didn't know there was more than one way to do it.

For source & destination NAT - what should the crypto ACL look like for SITE B? do you use the outside local or global address for destination?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: