Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
6
Replies

VPN Configuration using Natting -- require help

Go to solution
sidcracker
Level 1
Level 1

‎08-16-2010 08:21 PM - edited ‎03-11-2019 11:26 AM

Hello,

The Router VPN has multiple VPNS that are initiated to the customers. The ASA handles the ACLS and Natting part of the VPN and the VPN device handles the policies and encryption/decryption.

For each Site to Site VPN a new pool is assigned on the VPN interface for static natting and PAT. Example for VPN XYZ we would define a new pool 172.16.20.0.

All traffic via the VPN will be first entering the router VPN and then the ASA. All traffic not in the VPN will come directly from the outside interface.

There are two hosts on the inside interface which needs to be access by the remote network of another site.

Am i correct to use the following configuration?

ALL IP ADDRESS and NAMES HAVE BEEN CHANGED

ON THE ASA FIREWALL

========================

***********************************************************************

Allowing the inside host to access the remote host

***********************************************************************

access-list site_to_site_vpn extended permit ip object-group inside_hosts host 192.168.0.100

*************************************

To be natted to 172.16.20.20

*************************************

nat (inside) 100 access-list site_to_site-vpn

global (vpn) 100 172.16.20.20

********************************************************************************************************************************

Allowing the remote host 192.168.0.100 to access the inside hosts which is continuation of the above session

********************************************************************************************************************************

access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts range 700 800
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 234
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 567
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 911
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 2345
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 6456
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 543
access-list vpn_to_asa extended permit udp host 192.168.0.100 object-group inside_hosts eq 744

(The access-list is mapped to the VPN interface)

*********************************************************************************************************************

When remote hosts are initiating connection, they will access the static nat to reach the inside hosts

*********************************************************************************************************************

access-list site_to_site_staticnat_1 extended permit ip host 192.168.20.10 host 192.168.0.100
access-list site_to_site_staticnat_2 extended permit ip host 192.168.20.11 host 192.168.0.100

static (inside,vpn) 172.16.20.21 access-list site_to_site_staticnat_1
static (inside,vpn) 172.16.20.22 access-list site_to_site_staticnat_2

ON THE ROUTER VPN

====================

ip access-list extended site_to_site_vpn_cryptomap
permit ip 172.16.20.0 0.0.0.255 192.168.0.100 0.0.0.0

                      (outside)

                        ----------

                           |

192.168.20.0        |

   inside               |         192.168.18.0(VPN)

      |--------------------|-------------|                 |-------------------------------------

------|                                 |                 |                                    |20.20.20.0

      |          ASA                |-----------------|            Router VPN       |----------------

      |---------------------------------                 |------------------------------------|

              |                   |

              |                   |

              |                   |

              |                   |

           ----------        -------------

  192.168.10.0      192.168.12.0   (DMZ1)

     (DMZ 2)

Let me know if this configuration is correct..

Thanks for your help in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to sidcracker

‎08-16-2010 09:55 PM

Correct, that's right.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-16-2010 08:35 PM

All the configuration looks correct apart from the following:

nat (inside) 100 access-list site_to_site-vpn

global (vpn) 100 172.16.20.20

I am not quite sure what the above is trying to achieve since you already have the static policy NAT configuration.

0 Helpful

Go to solution
sidcracker
Level 1
Level 1
In response to Jennifer Halim

‎08-16-2010 09:07 PM

Hello,

All I am trying to do is that traffic initiated from the inside will use the PAT address and traffic initiated from the outside will use the static NAT. But in this case if traffic is initiated from inside it will still use the static NAT since static NAT is preferred above the PAT. Am I correct on that? If so then the pat address is not required

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to sidcracker

‎08-16-2010 09:31 PM

Yes, you are absolutely correct. Static policy NAT will take precedence over policy NAT, hence the PAT address becomes redundant unless you require all the other internal ip subnets but 192.168.20.10 and 192.168.20.11 to initiate connection towards 192.168.0.100, then in this case, they will get PATed to 172.16.20.20.

0 Helpful

Go to solution
sidcracker
Level 1
Level 1
In response to Jennifer Halim

‎08-16-2010 09:47 PM

Thanks for your quick responses.

0 Helpful

Go to solution
sidcracker
Level 1
Level 1
In response to Jennifer Halim

‎08-16-2010 09:49 PM

Just another clarification.....

The ACLS provided in the configuration should allow traffic from the remote end to access the internal hosts right? I dont need to add any other ACLS even if i remove the nat globals from the configuration?

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to sidcracker

‎08-16-2010 09:55 PM

Correct, that's right.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card