Replicating ASA 'static' command on 2851 Router with VPN

Unanswered Question
Sep 16th, 2010
User Badges:

Hello,


I was wondering if it is possible to replicate the following ASA configuration on a Cisco 2851 Router?


ASA running 8.2

Router running 15.1


<ASA 5505 config>

hostname ASA

interface Vlan2

  nameif outside

  security-level 0

ip address 10.7.5.222 255.255.255.248

!

interface Vlan3

  nameif inside

  security-level 100

ip address 10.2.6.158 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!

object-group network HQ

network-object 192.168.0.0 255.255.255.0

object-group network HOSTS-AT-HQ

network-object host 192.168.0.5

network-object host 192.168.0.6

network-object host 192.168.0.7

object-group network OFFICEA

network-object 192.168.1.0 255.255.255.0

object-group network LOCAL-DEVICES

network-object host 10.4.9.57

access-list acl_local_to_hq extended permit ip object-group LOCAL-DEVICES object-group HOSTS-AT-HQ

access-list acl_local_to_officea extended permit ip object-group LOCAL-DEVICES host 192.168.1.5

access-list acl_nonat_vpn extended permit ip object-group LOCAL-DEVICES object-group HOSTS-AT-HQ

access-list acl_nonat_vpn extended permit ip object-group LOCAL-DEVICES host 192.168.1.5

nat-control

nat (inside) 0 access-list acl_nonat_vpn

static (outside,inside) tcp interface 14809 192.168.1.5 14000 netmask 255.255.255.255

static (outside,inside) tcp interface 14810 192.168.0.5 14000 netmask 255.255.255.255

static (outside,inside) tcp interface 14811 192.168.0.6 14000 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 10.7.5.217

route inside 10.4.9.0 255.255.255.0 10.2.6.157

crypto ipsec transform-set esp-aes-256-sha-hmac esp-aes-256 esp-sha-hmac

crypto map local-map 10 match address acl_local_to_hq

crypto map local-map 10 set peer w.x.y.z

crypto map local-map 10 set transform-set esp-aes-256-sha-hmac

crypto map local-map 20 match address acl_local_to_officea

crypto map local-map 20 set peer a.b.c.d

crypto map local-map 30 set transform-set esp-aes-256-sha-hmac

crypto isakmp enable outside

crypto isakmp policy 10

! policy stuff

management-access inside

tunnel-group w.x.y.z type ipsec-l2l

tunnel-group w.x.y.z ipsec-attributes

per-shared-key xxxxxxxxxx

tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d ipsec-attributes

per-shared-key xxxxxxxxxx

</ASA 5505 config>


I am specifically looking for the replication of the 'static' commands.


Thanks,

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 09/16/2010 - 12:46
User Badges:
  • Green, 3000 points or more

Hi,


Sure you can replicate the configuration (the syntax will obviosuly changes because the router runs IOS).


The router should have an encryption image to support IPsec.

Also the NAT configuration can be done and the ACLs.


The object-group is not a concept for routers (as far as I'm aware), but that's not a problem, you create the rules individually.


To give you an example for the static:

static (outside,inside) tcp interface 14809 192.168.1.5 14000 netmask 255.255.255.255


ip nat inside source static tcp 192.168.1.5 14000 14809


Since the ASA is stateful failover and the router is not, sometimes you should configure CBAC or ZBF.


Federico.

Michael Mercier Fri, 09/17/2010 - 06:09
User Badges:

Hi Federico,


You can use object group's on the router.


http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1132617


but you can't use it with IPSec (quote from document)

"Object group-based ACLs are not supported with IPsec."


I tried your suggestion, and it doesn't seem to work.  I have run 'debug ip nat' and then tried to connect, but I don't see any output from the debug statement.


Here is part of the router config, maybe you can see my error?


version 15.1

!

hostname router

!

ip source-route

!

no ip domain lookup

ip domain name xxxxxxxx

!

crypto isakmp policy 11

encr aes

authentication pre-share

group 5

crypto isakmp key xxxxxx address w.x.y.z

!

!

crypto ipsec transform-set esp-aes-256-sha-hmac esp-aes 256 esp-sha-hmac

!

crypto map local-map 10 ipsec-isakmp

set peer w.x.y.z

set transform-set esp-aes-256-sha-hmac

match address acl_local_to_hq

!

!

interface GigabitEthernet0/0

ip address 10.7.5.222 255.255.255.248

ip nat outside

ip virtual-reassembly in

crypto map local-map

!

interface GigabitEthernet0/1

ip address 10.2.6.158 255.255.255.252

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source static tcp 192.168.0.5 14000 10.7.5.158 14810 extendable

ip route 0.0.0.0 0.0.0.0 10.7.5.217

ip route 10.4.9.0 255.255.255.0 10.2.6.157

ip access-list extended acl_local_to_hq

permit ip host 10.4.9.57 host 192.168.0.5

!



Thanks,

Mike

Federico Coto F... Fri, 09/17/2010 - 06:42
User Badges:
  • Green, 3000 points or more

Mike,


The NAT statement:


ip nat inside source static tcp 192.168.0.5 14000 10.7.5.158 14810 extendable


Says that when traffic reaches 10.7.5.158 on TCP port 14810 should be redirected to 192.168.0.5 on TCP port 14000.

But, I don't see how the router knows how to reach 192.168.0.5


According to the setup, 192.168.0.5 should be reachable via the inside interface (but the router has a default route to the outside to reach that IP).


So, besides the configuration please explain what you're trying to do.


Federico.

Michael Mercier Fri, 09/17/2010 - 09:25
User Badges:

Hi Federico,


Here is what I am trying to accomplish:


A workstation (10.4.9.57) is trying to communicate with devices at HQ and OFFICEA.  This workstation is behind a firewall and can't be routed to communicate directly with the systems at HQ/OFFICEA (out of my control), but the workstation can communicate with my routers inside address (10.2.6.158).


When the workstation sends data, I want it translated as follows:

10.2.6.158:14801 => 192.168.0.5:14000

10.2.6.158:14802 => 192.168.0.6:14000

10.2.6.158:14803 => 192.168.1.5:14000


Then the data will traverse the HQ VPN to reach 192.168.0.5-6 and the OFFICEA VPN to reach 192.168.1.5


I currently have this working with the ASA configuration above.


Thanks,

Mike

Michael Mercier Thu, 09/23/2010 - 11:36
User Badges:

Hi,


I have finally figured out the basics of this (it can't be replicated exactly)...


interface GigabitEthernet0/0

ip address 10.7.5.222 255.255.255.248

ip nat outside


interface GigabitEthernet0/1

ip address 10.2.6.158 255.255.255.252

ip nat inside


ip nat outside source static tcp 192.168.0.5 14000 10.2.6.161 14810 extendable add-route


I had been trying to use the "interface GigabitEthernet0/1" address to do the static.  I was not until I read http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml (NAT order of Operation) that I saw that the address being used for the 'ip nat' can't be on the same subnet as the interface.


Thanks,

Mike

Actions

This Discussion

Related Content