07-08-2010 03:01 PM
I'm trying to setup a Site-to-site tunnel between a ASA and Checkpoing NGX R62. Their internal host's IP overlaps with our internal IP range. Unfortunately they're not offering to NAT on their side. Is it possible on the ASA to setup a NAT so that my internal hosts get nated to the outside ip of the ASA.
172.16.0.0 <---> ASA <-- Internet --> NGX R62 <-- 172.16.0.0
07-08-2010 03:53 PM
Anuj,
There is no problem not do do nat exemption, which you normally do in case of typical NAT ... you know that nat 0 access-list statments :-)
Remember that NAT is done before encryption - so you will need to change access-list in crypto too.
One thing you did not mention is:
How do I solve routing? Ie. Traffic from your PC of 172.16.1.2 wants to go to 172.16.1.3 on the other side of the tunnel... I believe you will also need to NAT their subnet (even if it's identity NAT)
07-08-2010 08:34 PM
HI Marcin,
This is what i have... wondering if this correct.
Re: ASA conf
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 2.2.2.2 ( peer ip address)
crypto map outside_map 1 set transform-set ESP-3DES-SHA1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group 2.2..2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
access-list outside_1_cryptomap extended permit ip host 1.1.1.1 (our external ip address) host 172.16.1.3 ( ASA Internal ip address)
!--- NAT ACL
access-list policy-nat permit ip host 172.16.1.3 host 3.3.3.3
!-- Translations
static (outside,inside) 1.1.1.1 172.16.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 3.3.3.3 access-list policy-nat
Pls chk this config and let me know....
Customer doesn't want to do any Natting on their end.
I'm also getting an error message when i do show crypto ipsec sa " There are no ipsec sas"
Pls advise
07-09-2010 03:14 AM
Anuj,
Let me reply like this.
Both sides need to have consitent access-list matching what traffic is interesting for encrypion so I would say the ACL should be:
(assuming you want to PAT all traffic)
permit ip h 1.1.1.1 172.16.0.0 255.255.0.0
ie. we want all traffic from our IP address of 1.1.1.1 to go to 172.16.0.0 255.255.0.0 which is the pool on the other side (also as seen by othe other side).
Regarding NAT it will looks like this.
nat (inside) 101 172.16.0.0 255.255.0.0
global (outside) 101 1.1.1.1 (the IP address of interface/ so you will need most likely "interface" keyword)
Now we need to take care of us being able to communicate to external 172.16.0.0 subnet.
You will need to mask if for internal users sooo you can do something like
static (outside,inside) 10.16.0.0 172.16.0.0 net 255.255.0.0
This way your users will think that they are communicating with 10.16.0.0 subnet.
Now, I have not tested this, theory goes it can work (considering xlate lookup is done before routing) I cannot provide guarentee because as I understand it was never meant to work like that :-)
It's not a very nice configuration AND SHOULD BE AVOIDED and this used instead:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
or use IPv6!
Marcin
07-09-2010 07:17 AM
Hi Marcin,
Thanks for the quick response... I will use the website to create the tunnel. I had a question with regard to the config on the site.
global (outside) 1 172.19.1.1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
!--- The above statements will PAT the internet traffic
!--- except the VPN traffic using the IP address 172.19.1.1
172.19.1.1 where is this IP coming from? Shouldn't it be 172.16.1.1? This is part of the PIX A config.
07-09-2010 08:33 AM
Anuj,
Please be aware that this config is for both sides doing NAT at the same time - unlike scneario you mention intially, unless the other side changed their opinion?
172.19.1.1 indeed seems fishy, the IP address does not belong anywhere.
Like in case of PIX-B I'm pretty sure it should have been "interface".
Marcin
07-09-2010 11:12 AM
I will talk to them and see what they say.
On another note... am i getting this error msg b/c tunnel is down "there are no ipsec sas"
07-09-2010 12:44 PM
Anuj,
That's not an error message. It's just an indication that Phase 2 was not established fully.
Marcin
07-09-2010 03:37 PM
Anuj,
This one might be also useful ... I guess this is the one you were referring to before?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
Marcin
07-12-2010 02:13 PM
Thanks Marcin
I will give this a try... I'm still waiting for the customer to call me back
07-21-2010 08:39 AM
Hey Marcin,
Finally the customer got back to me...
I"m trying to set up the tunnel using the
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
but I had a quick question
Correct me if i'm wrong but isn't this incorrect access-list
access-list policy-nat extended permit ip 172.18.1.0 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,outside) 172.18.1.0 access-list policy-nat
Shouldn't it be
access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0
static (inside,outside) 172.18.1.0 access-list policy-nat
VPN traffic and translates the source (192.168.1.0) to 172.18.1.0 !--- for outbound VPN traffic
Pls advise.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: