Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
276
Views
0
Helpful
2
Replies

ASA 5510 l2l IPSEC Questions

dnelson
Level 1
Level 1

‎06-20-2006 08:20 PM - edited ‎02-21-2020 12:59 AM

I know how to configure pix or asa for lan to lan ipsec vpn tunnels to allow the inside networks at each site to communicate through the tunnel. This requires defining an access list that identifies when traffic from siteA goes to Site B bypass the natting process. (i.e. nat (inside) 0 access-list nonat).

Now I have a customer that needs a additional tunnel setup that needs their internal private ip's natted to a publicly routable address and then tunneled. Here is the remote sites VPN requirments.

Checkpoint NG w/AI version R60

Gateway IP: 12.5.XX.XX

Encryption: 3DES/MD5/DH Group 2/Disable Perfect Forward Secrecy

Preshared Key: TBD over the phone

IKE Phase 1 Timeout: 1440 minutes

IPSec Phase 2 Timeout: 3600 seconds

Host to access: 138.108.213.10/32 over TCP Port 23 (standard telnet)

"We will need you to NAT all your internal IP's to an external routable IP address.

That can either be the external interface of your firewall, or another public routable IP address on that network. "

Can this be done with the ASA and if so how do you nat before the ipsec process?

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎06-20-2006 09:05 PM

Yes this can be done, quite easily actually. Just keep in mind that NAT happens BEFORE IPSec within the ASA. Let's say your inside is 10.1.1.0/24, the remote inside is 10.2.2.0/24, and you have to NAT the entire 10.1.1.0/24 network to 172.16.1.1.

access-list l2l permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list crypto permit ip host 172.16.1.1 10.2.2.0 255.255.255.0

Define policy-NAT to only NAT the L2L traffic as such

nat (inside) 5 access-list l2l

global (outside) 5 172.16.1.1

Then your crypto map points to the already-NAT'd traffic as what to send over the tunnel:

....

crypto map mymap 10 match address crypto

....

Make sure you don't have traffic from 10.1.1.0/24 to 10.2.2.0/24 defined in any "nat 0 access-list" ACL, cause this will override the policy NAT statement defined. You actually want to NAT this traffic and that's done by the policy-NAT, BEFORE the encryption part of things, so your crypto map ACL simply specifies the already NAT'd traffic.

Also make sure the remote end has the exact opposite ACL on their end, encrypt traffic FROM 10.2.2.0/24 going TO host 172.16.1.1.

0 Helpful

dnelson
Level 1
Level 1
In response to gfullage

‎06-20-2006 10:08 PM

So if I already have a global pool on the outside interface address (i.e. global (outside) 1 interface) Then all I really need to do is define the access list to match traffic from my inside network to the remote site's host address and then setup my l2l tunnel group using that access list and all traffice matching the list will be natted to my public outside interface address, then encrypted, and delivered over the tunnel and as long as the remote site has the exact opposite access list pointing from their inside host address to my public outside interface address, return traffic should be encrypted and sent back to me.

If this is all I have to do then I guess I was making it too difficult in my head.

Thanks for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card