09-16-2010 06:17 AM
Hello,
I was wondering if it is possible to replicate the following ASA configuration on a Cisco 2851 Router?
ASA running 8.2
Router running 15.1
<ASA 5505 config>
hostname ASA
interface Vlan2
nameif outside
security-level 0
ip address 10.7.5.222 255.255.255.248
!
interface Vlan3
nameif inside
security-level 100
ip address 10.2.6.158 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
object-group network HQ
network-object 192.168.0.0 255.255.255.0
object-group network HOSTS-AT-HQ
network-object host 192.168.0.5
network-object host 192.168.0.6
network-object host 192.168.0.7
object-group network OFFICEA
network-object 192.168.1.0 255.255.255.0
object-group network LOCAL-DEVICES
network-object host 10.4.9.57
access-list acl_local_to_hq extended permit ip object-group LOCAL-DEVICES object-group HOSTS-AT-HQ
access-list acl_local_to_officea extended permit ip object-group LOCAL-DEVICES host 192.168.1.5
access-list acl_nonat_vpn extended permit ip object-group LOCAL-DEVICES object-group HOSTS-AT-HQ
access-list acl_nonat_vpn extended permit ip object-group LOCAL-DEVICES host 192.168.1.5
nat-control
nat (inside) 0 access-list acl_nonat_vpn
static (outside,inside) tcp interface 14809 192.168.1.5 14000 netmask 255.255.255.255
static (outside,inside) tcp interface 14810 192.168.0.5 14000 netmask 255.255.255.255
static (outside,inside) tcp interface 14811 192.168.0.6 14000 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 10.7.5.217
route inside 10.4.9.0 255.255.255.0 10.2.6.157
crypto ipsec transform-set esp-aes-256-sha-hmac esp-aes-256 esp-sha-hmac
crypto map local-map 10 match address acl_local_to_hq
crypto map local-map 10 set peer w.x.y.z
crypto map local-map 10 set transform-set esp-aes-256-sha-hmac
crypto map local-map 20 match address acl_local_to_officea
crypto map local-map 20 set peer a.b.c.d
crypto map local-map 30 set transform-set esp-aes-256-sha-hmac
crypto isakmp enable outside
crypto isakmp policy 10
! policy stuff
management-access inside
tunnel-group w.x.y.z type ipsec-l2l
tunnel-group w.x.y.z ipsec-attributes
per-shared-key xxxxxxxxxx
tunnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d ipsec-attributes
per-shared-key xxxxxxxxxx
</ASA 5505 config>
I am specifically looking for the replication of the 'static' commands.
Thanks,
Mike
09-16-2010 12:46 PM
Hi,
Sure you can replicate the configuration (the syntax will obviosuly changes because the router runs IOS).
The router should have an encryption image to support IPsec.
Also the NAT configuration can be done and the ACLs.
The object-group is not a concept for routers (as far as I'm aware), but that's not a problem, you create the rules individually.
To give you an example for the static:
static (outside,inside) tcp interface 14809 192.168.1.5 14000 netmask 255.255.255.255
ip nat inside source static tcp 192.168.1.5 14000
Since the ASA is stateful failover and the router is not, sometimes you should configure CBAC or ZBF.
Federico.
09-17-2010 06:09 AM
Hi Federico,
You can use object group's on the router.
but you can't use it with IPSec (quote from document)
"Object group-based ACLs are not supported with IPsec."
I tried your suggestion, and it doesn't seem to work. I have run 'debug ip nat' and then tried to connect, but I don't see any output from the debug statement.
Here is part of the router config, maybe you can see my error?
version 15.1
!
hostname router
!
ip source-route
!
no ip domain lookup
ip domain name xxxxxxxx
!
crypto isakmp policy 11
encr aes
authentication pre-share
group 5
crypto isakmp key xxxxxx address w.x.y.z
!
!
crypto ipsec transform-set esp-aes-256-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map local-map 10 ipsec-isakmp
set peer w.x.y.z
set transform-set esp-aes-256-sha-hmac
match address acl_local_to_hq
!
!
interface GigabitEthernet0/0
ip address 10.7.5.222 255.255.255.248
ip nat outside
ip virtual-reassembly in
crypto map local-map
!
interface GigabitEthernet0/1
ip address 10.2.6.158 255.255.255.252
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.0.5 14000 10.7.5.158 14810 extendable
ip route 0.0.0.0 0.0.0.0 10.7.5.217
ip route 10.4.9.0 255.255.255.0 10.2.6.157
ip access-list extended acl_local_to_hq
permit ip host 10.4.9.57 host 192.168.0.5
!
Thanks,
Mike
09-17-2010 06:42 AM
Mike,
The NAT statement:
ip nat inside source static tcp 192.168.0.5 14000 10.7.5.158 14810 extendable
Says that when traffic reaches 10.7.5.158 on TCP port 14810 should be redirected to 192.168.0.5 on TCP port 14000.
But, I don't see how the router knows how to reach 192.168.0.5
According to the setup, 192.168.0.5 should be reachable via the inside interface (but the router has a default route to the outside to reach that IP).
So, besides the configuration please explain what you're trying to do.
Federico.
09-17-2010 09:25 AM
Hi Federico,
Here is what I am trying to accomplish:
A workstation (10.4.9.57) is trying to communicate with devices at HQ and OFFICEA. This workstation is behind a firewall and can't be routed to communicate directly with the systems at HQ/OFFICEA (out of my control), but the workstation can communicate with my routers inside address (10.2.6.158).
When the workstation sends data, I want it translated as follows:
10.2.6.158:14801 => 192.168.0.5:14000
10.2.6.158:14802 => 192.168.0.6:14000
10.2.6.158:14803 => 192.168.1.5:14000
Then the data will traverse the HQ VPN to reach 192.168.0.5-6 and the OFFICEA VPN to reach 192.168.1.5
I currently have this working with the ASA configuration above.
Thanks,
Mike
09-23-2010 11:36 AM
Hi,
I have finally figured out the basics of this (it can't be replicated exactly)...
interface GigabitEthernet0/0
ip address 10.7.5.222 255.255.255.248
ip nat outside
interface GigabitEthernet0/1
ip address 10.2.6.158 255.255.255.252
ip nat inside
ip nat outside source static tcp 192.168.0.5 14000 10.2.6.161 14810 extendable add-route
I had been trying to use the "interface GigabitEthernet0/1" address to do the static. I was not until I read http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml (NAT order of Operation) that I saw that the address being used for the 'ip nat' can't be on the same subnet as the interface.
Thanks,
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: