NAT IPSEC site-to-site VPN ASA 8.4

Answered Question
Jun 27th, 2011

My goal is to create a VPN from me (61.227.106.64) to a vendor (9.105.8.204) using an ASA 5510 with 8.4 on it. The vendor's private LANs are 10.134.115.0/24 and 10.135.115.0/24. My private LAN is 10.11.102.0/24 but I want to NAT it to 61.227.106.70.

Is the following config correct?

ASA Version 8.4(2)

interface Ethernet0/0

nameif LAN

security-level 0

ip address 10.241.1.61 255.255.255.0

!

interface Ethernet0/1

nameif WAN

security-level 0

ip address 61.227.106.64 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network CareOneTSFarm

  subnet 10.11.102.0 255.255.255.0

object network Core_NAT

host 61.227.106.70

object network NAT_to_outside

  subnet 0.0.0.0 0.0.0.0

object-group network Core_LAN

  network-object 10.134.115.0 255.255.255.0

  network-object 10.135.115.0 255.255.255.0

access-list VPNCore extended permit ip object CareOneTSFarm object-group Core_LAN

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

!

object network NAT_to_outside

nat (LAN,WAN) dynamic interface

route WAN 0.0.0.0 0.0.0.0 61.227.106.1 1

route LAN 10.11.0.0 255.255.0.0 10.241.1.1 1

crypto ipsec ikev1 transform-set AES256_SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map VPN 50 match address VPNCore

crypto map VPN 50 set peer 9.105.8.204

crypto map VPN 50 set ikev1 transform-set AES256_SHA

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto map VPN interface WAN

tunnel-group 9.105.8.204 type ipsec-l2l

tunnel-group 9.105.8.204 ipsec-attributes

  ikev1 pre-shared-key *****

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 3 years 10 months ago

This NAT line:

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

should be:

nat (LAN,WAN) source dynamic CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

And the VPNCore ACL should match the NATed IP instead of the real IP:

access-list VPNCore extended permit ip object Core_NAT object-group Core_LAN

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Correct Answer
Jennifer Halim Thu, 06/30/2011 - 06:02

This NAT line:

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

should be:

nat (LAN,WAN) source dynamic CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

And the VPNCore ACL should match the NATed IP instead of the real IP:

access-list VPNCore extended permit ip object Core_NAT object-group Core_LAN

Actions

Login or Register to take actions

This Discussion

Posted June 27, 2011 at 2:55 PM
Updated June 27, 2011 at 9:24 PM
Stats:
Replies:1 Overall Rating:
Views:3297 Votes:0
Shares:0
Tags: No tags.