ASA 5510 l2l IPSEC Questions

Unanswered Question

I know how to configure pix or asa for lan to lan ipsec vpn tunnels to allow the inside networks at each site to communicate through the tunnel. This requires defining an access list that identifies when traffic from siteA goes to Site B bypass the natting process. (i.e. nat (inside) 0 access-list nonat).


Now I have a customer that needs a additional tunnel setup that needs their internal private ip's natted to a publicly routable address and then tunneled. Here is the remote sites VPN requirments.


Checkpoint NG w/AI version R60

Gateway IP: 12.5.XX.XX

Encryption: 3DES/MD5/DH Group 2/Disable Perfect Forward Secrecy

Preshared Key: TBD over the phone

IKE Phase 1 Timeout: 1440 minutes

IPSec Phase 2 Timeout: 3600 seconds

Host to access: 138.108.213.10/32 over TCP Port 23 (standard telnet)

"We will need you to NAT all your internal IP's to an external routable IP address.

That can either be the external interface of your firewall, or another public routable IP address on that network. "



Can this be done with the ASA and if so how do you nat before the ipsec process?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Tue, 06/20/2006 - 21:05
User Badges:
  • Cisco Employee,

Yes this can be done, quite easily actually. Just keep in mind that NAT happens BEFORE IPSec within the ASA. Let's say your inside is 10.1.1.0/24, the remote inside is 10.2.2.0/24, and you have to NAT the entire 10.1.1.0/24 network to 172.16.1.1.



access-list l2l permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list crypto permit ip host 172.16.1.1 10.2.2.0 255.255.255.0


Define policy-NAT to only NAT the L2L traffic as such


nat (inside) 5 access-list l2l

global (outside) 5 172.16.1.1


Then your crypto map points to the already-NAT'd traffic as what to send over the tunnel:


....

crypto map mymap 10 match address crypto

....


Make sure you don't have traffic from 10.1.1.0/24 to 10.2.2.0/24 defined in any "nat 0 access-list" ACL, cause this will override the policy NAT statement defined. You actually want to NAT this traffic and that's done by the policy-NAT, BEFORE the encryption part of things, so your crypto map ACL simply specifies the already NAT'd traffic.


Also make sure the remote end has the exact opposite ACL on their end, encrypt traffic FROM 10.2.2.0/24 going TO host 172.16.1.1.

So if I already have a global pool on the outside interface address (i.e. global (outside) 1 interface) Then all I really need to do is define the access list to match traffic from my inside network to the remote site's host address and then setup my l2l tunnel group using that access list and all traffice matching the list will be natted to my public outside interface address, then encrypted, and delivered over the tunnel and as long as the remote site has the exact opposite access list pointing from their inside host address to my public outside interface address, return traffic should be encrypted and sent back to me.


If this is all I have to do then I guess I was making it too difficult in my head.


Thanks for your help.

Actions

This Discussion