08-30-2013 05:53 AM - edited 03-11-2019 07:32 PM
08-30-2013 06:05 AM
Hi,
The actual NAT configuration to enable the use of public IP address through the L2L VPN is very simple but I would see that the bigger question here is to determine the actual setup requirements and the parameters used.
I presume you have been provided with a document which states the Phase1 and Phase2 parameters for this connection clearly? If you do have such a document could you take a screencapture of the Phase1 and Phase2 parameters (dont include any PSK/Pre-shared-key, we dont need to know it)
I would also like to confirm the following things
The NAT portion might be really simple if you only have a single public IP address. In that case you might not even need to configure any additional NAT than you already have on the device but rather specify the local and remote network correctly.
- Jouni
08-30-2013 07:10 AM
Hi,
Would it be possible to also see the current configuration of the ASA?
Could then see the current configurations and what additions are needed for this to work.
The configuration that you have attached do have some things that need to be changed and some things that are not needed.
- Jouni
08-30-2013 07:38 AM
Hi,
I guess we can try this without looking at the whole configuration.
So I presume that you have yet not configured any VPN related configurations and you dont have any previous/existing VPN Connections (IPsec) configured on your firewall.
The below also presumes
Static NAT for Server
object network LAN-SERVER
host 172.16.5.x
nat (inside,outside) static x.x.x.x
L2L VPN Configurations
access-list EARLY-WARNINGS-L2LVPN remark Encyption Domain for L2L VPN Connection
access-list EARLY-WARNINGS-L2LVPN permit ip host x.x.x.x host 199.47.136.140
crypto ipsec ikev1 transform-set EARLY-WARNING-TS esp-aes-256 esp-sha-hmac
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto map CRYPTOMAP 1 match address EARLY-WARNINGS-L2LVPN
crypto map CRYPTOMAP 1 set peer 199.47.137.230
crypto map CRYPTOMAP 1 set ikev1 transform-set EARLY-WARNINGS-TS
crypto map CRYPTOMAP 1 set security-association lifetime seconds 3600
crypto ikev1 enable interface outside
crypto map CRYPTOMAP interface outside
tunnel-group 199.47.137.230 type ipsec-l2l
tunnel-group 199.47.137.230 ipsec-attributes
ikev1 pre-shared-key
That should pretty much be it.
There is naturally some settings that could cause problems with this setup. For example some NAT configurations that might override the above Static NAT or perhaps you might have the "no sysopt connection permit-vpn" setting configured globally which would require that you allow the traffic on the external interfaces ACL.
Enabling this setting might actually be something that you would want to consider. This is because the default setting on the ASA will allow any traffic coming from a VPN Connection to bypass the interface ACL. If you have the default setting, this would mean that the remote host could initiate connection with any destination port/service to your server.
Also, since we configure Static NAT for this server, be sure that you DO NOT allow any traffic to it from the public network or that none of your current rules in the external interfaces ACL allow some traffic to this server.
The NAT could be configured to be a Static Policy NAT also but considering your situation at the moment (/29 network), I guess you can spare the public IP address for just this server)
When both you and the remote site has configured the
Hope this helps
- Jouni
08-30-2013 08:19 AM
Hi,
Did you have a Static NAT configuration for this server already or? If not, then use the configuration I mentioned and use the public IP address that you have reserved for the server.
Naturally you can use a different name for the "object" so that it fits your current naming policy better.
In your situation since you dont seem to have any existing VPN configurations (unless you have removed them from above) I would suggest configuring "no sysopt connection permit-vpn" command which will prevent connections coming from VPN connections to bypass your interface ACL.
Just add the ACL rules to your existing ACL to allow the ports which are required for your server.
access-list OUTSIDE-IN remark Early Warning Services L2L VPN rules
access-list OUTSIDE-IN permit tcp host 199.47.136.140 object LAN-SERVER eq
access-list OUTSIDE-IN permit udp host 199.47.136.140 object LAN-SERVER eq
access-list OUTSIDE-IN permit icmp host 199.47.136.140 object LAN-SERVER echo
The above is just the example if you were to add TCP/UDP Ports to which the remote site could connect to or perhaps ICMP.
- Jouni
08-30-2013 08:20 AM
Also,
You naturally have to use the PCSFTP interface as the source interface for the Static NAT as that is where the actual host is located at.
- Jouni
08-30-2013 08:45 AM
Hi,
With the source interface I mean the source interfae used in the actual "nat" configuration line. As you can see I used originally "inside" which what I presumed BUT the server is located behind "PCSFTP" interface judging by your Running Configurations
I modified the configurations to match the Running Configuration that you posted after my reply
object network LAN-SERVER
host 172.16.5.50
nat (PCSFTP,outside) static 98.101.206.53
access-list EARLY-WARNINGS-L2LVPN remark Encyption Domain for L2L VPN Connection
access-list EARLY-WARNINGS-L2LVPN permit ip host 98.101.206.53 host 199.47.136.140
crypto ipsec ikev1 transform-set EARLY-WARNING-TS esp-aes-256 esp-sha-hmac
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto map CRYPTOMAP 1 match address EARLY-WARNINGS-L2LVPN
crypto map CRYPTOMAP 1 set peer 199.47.137.230
crypto map CRYPTOMAP 1 set ikev1 transform-set EARLY-WARNINGS-TS
crypto map CRYPTOMAP 1 set security-association lifetime seconds 3600
crypto ikev1 enable interface outside
crypto map CRYPTOMAP interface outside
tunnel-group 199.47.137.230 type ipsec-l2l
tunnel-group 199.47.137.230 ipsec-attributes
ikev1 pre-shared-key
BELOW ACL ADDITION IS JUST EXAMPLE LINES. NOT SOMETHING THAT YOU CAN USE DIRECTLY AS ITS MISSING INFORMATION. ADD THE RULES THAT YOU NEED!
access-list OUTSIDE-IN remark Early Warning Services L2L VPN rules
access-list OUTSIDE-IN permit tcp host 199.47.136.140 object LAN-SERVER eq
access-list OUTSIDE-IN permit udp host 199.47.136.140 object LAN-SERVER eq
access-list OUTSIDE-IN permit icmp host 199.47.136.140 object LAN-SERVER echo
no sysopt connection permit-vpn
With regards to issuing the command "no sysopt connection permit-vpn",
This is a global setting that will affect ALL the VPN connections on the device. What the above setting will essentially do is require any connection that is taken from the VPN remote networks to be allowed in the "outside" inteface ACL. Just like any traffic coming from the Internet through the "outside" interface.
Why I would suggest using this command is the fact that since you are (to my understanding) connection to a remote site that is not part of your companys network, you probably would want to control what connections they can take to your server rather than just allow anything to your server (which leaving out the above command would mean).
Any future VPN Client or L2L VPN connections would also require their own ACL rules in the current "outside" interface ACL if the remote networks need to initiate connections to your network but that is just like allowing traffic from the Internet so there should be no problem.
The setting mentioned above is a global setting, so as I said, it affects all VPN connections. It can't be configured per VPN Connection. For that you would need to use VPN Filter ACL and thats a different story again.
- Jouni
08-30-2013 06:05 AM
Hi,
The actual NAT configuration to enable the use of public IP address through the L2L VPN is very simple but I would see that the bigger question here is to determine the actual setup requirements and the parameters used.
I presume you have been provided with a document which states the Phase1 and Phase2 parameters for this connection clearly? If you do have such a document could you take a screencapture of the Phase1 and Phase2 parameters (dont include any PSK/Pre-shared-key, we dont need to know it)
I would also like to confirm the following things
The NAT portion might be really simple if you only have a single public IP address. In that case you might not even need to configure any additional NAT than you already have on the device but rather specify the local and remote network correctly.
- Jouni
08-30-2013 06:16 AM
Hello Jouni
We have a /29 subnet but we have several addresses we can use for this VPN, we only have the PCS Images site requiring the connection to Early Warning Services.
I'm willing to do whatever you recommend on configuring this sit-to-site with Early Warning
Sending you what they sent me on the IKE1/2
The following are the Early Warning Services VPN Gateway parameters.
08-30-2013 06:22 AM
They also need access to our server for copying files to and from each site through the day; we do the same from our site
08-30-2013 07:10 AM
Hi,
Would it be possible to also see the current configuration of the ASA?
Could then see the current configurations and what additions are needed for this to work.
The configuration that you have attached do have some things that need to be changed and some things that are not needed.
- Jouni
08-30-2013 07:17 AM
Jouni,
We have some sensitive information in this current config, any way to send this running-config to you securely?
08-30-2013 07:38 AM
Hi,
I guess we can try this without looking at the whole configuration.
So I presume that you have yet not configured any VPN related configurations and you dont have any previous/existing VPN Connections (IPsec) configured on your firewall.
The below also presumes
Static NAT for Server
object network LAN-SERVER
host 172.16.5.x
nat (inside,outside) static x.x.x.x
L2L VPN Configurations
access-list EARLY-WARNINGS-L2LVPN remark Encyption Domain for L2L VPN Connection
access-list EARLY-WARNINGS-L2LVPN permit ip host x.x.x.x host 199.47.136.140
crypto ipsec ikev1 transform-set EARLY-WARNING-TS esp-aes-256 esp-sha-hmac
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto map CRYPTOMAP 1 match address EARLY-WARNINGS-L2LVPN
crypto map CRYPTOMAP 1 set peer 199.47.137.230
crypto map CRYPTOMAP 1 set ikev1 transform-set EARLY-WARNINGS-TS
crypto map CRYPTOMAP 1 set security-association lifetime seconds 3600
crypto ikev1 enable interface outside
crypto map CRYPTOMAP interface outside
tunnel-group 199.47.137.230 type ipsec-l2l
tunnel-group 199.47.137.230 ipsec-attributes
ikev1 pre-shared-key
That should pretty much be it.
There is naturally some settings that could cause problems with this setup. For example some NAT configurations that might override the above Static NAT or perhaps you might have the "no sysopt connection permit-vpn" setting configured globally which would require that you allow the traffic on the external interfaces ACL.
Enabling this setting might actually be something that you would want to consider. This is because the default setting on the ASA will allow any traffic coming from a VPN Connection to bypass the interface ACL. If you have the default setting, this would mean that the remote host could initiate connection with any destination port/service to your server.
Also, since we configure Static NAT for this server, be sure that you DO NOT allow any traffic to it from the public network or that none of your current rules in the external interfaces ACL allow some traffic to this server.
The NAT could be configured to be a Static Policy NAT also but considering your situation at the moment (/29 network), I guess you can spare the public IP address for just this server)
When both you and the remote site has configured the
Hope this helps
- Jouni
08-30-2013 07:45 AM
I will remove some data from the current running-config so you see what we have.
Thanks
08-30-2013 08:01 AM
Jouni,
I'm sorry about not adding this for the PCS images Server, would be in the running-config listed above, but thought best to send here.
PCS-EW-VPC51
172.16.5.50
PCS-EW-VPC51-Public
98.101.206.53
They will connect to this server for transfers through the day
Thanks Jouni
08-30-2013 08:19 AM
Hi,
Did you have a Static NAT configuration for this server already or? If not, then use the configuration I mentioned and use the public IP address that you have reserved for the server.
Naturally you can use a different name for the "object" so that it fits your current naming policy better.
In your situation since you dont seem to have any existing VPN configurations (unless you have removed them from above) I would suggest configuring "no sysopt connection permit-vpn" command which will prevent connections coming from VPN connections to bypass your interface ACL.
Just add the ACL rules to your existing ACL to allow the ports which are required for your server.
access-list OUTSIDE-IN remark Early Warning Services L2L VPN rules
access-list OUTSIDE-IN permit tcp host 199.47.136.140 object LAN-SERVER eq
access-list OUTSIDE-IN permit udp host 199.47.136.140 object LAN-SERVER eq
access-list OUTSIDE-IN permit icmp host 199.47.136.140 object LAN-SERVER echo
The above is just the example if you were to add TCP/UDP Ports to which the remote site could connect to or perhaps ICMP.
- Jouni
08-30-2013 08:20 AM
Also,
You naturally have to use the PCSFTP interface as the source interface for the Static NAT as that is where the actual host is located at.
- Jouni
08-30-2013 08:30 AM
Let me ask this - if we use sysopt connection permit-vpn for this site-to-site VPN will this cause problems for adding others in the future?
Maybe I'm not on my A game today when you spoke of the source interface PCSFTP for the static Nat, should this be interface as the source or should this be Early Warning Services as the source.
Can you show me what the new configuration for the running-config should look like after we add all the items you listed above, because I'm missing something or not sure what comes first or what the source / destination should be.
I'm sorry about this Jouni - I just don't understand
Thank you my friend
08-30-2013 08:45 AM
Hi,
With the source interface I mean the source interfae used in the actual "nat" configuration line. As you can see I used originally "inside" which what I presumed BUT the server is located behind "PCSFTP" interface judging by your Running Configurations
I modified the configurations to match the Running Configuration that you posted after my reply
object network LAN-SERVER
host 172.16.5.50
nat (PCSFTP,outside) static 98.101.206.53
access-list EARLY-WARNINGS-L2LVPN remark Encyption Domain for L2L VPN Connection
access-list EARLY-WARNINGS-L2LVPN permit ip host 98.101.206.53 host 199.47.136.140
crypto ipsec ikev1 transform-set EARLY-WARNING-TS esp-aes-256 esp-sha-hmac
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto map CRYPTOMAP 1 match address EARLY-WARNINGS-L2LVPN
crypto map CRYPTOMAP 1 set peer 199.47.137.230
crypto map CRYPTOMAP 1 set ikev1 transform-set EARLY-WARNINGS-TS
crypto map CRYPTOMAP 1 set security-association lifetime seconds 3600
crypto ikev1 enable interface outside
crypto map CRYPTOMAP interface outside
tunnel-group 199.47.137.230 type ipsec-l2l
tunnel-group 199.47.137.230 ipsec-attributes
ikev1 pre-shared-key
BELOW ACL ADDITION IS JUST EXAMPLE LINES. NOT SOMETHING THAT YOU CAN USE DIRECTLY AS ITS MISSING INFORMATION. ADD THE RULES THAT YOU NEED!
access-list OUTSIDE-IN remark Early Warning Services L2L VPN rules
access-list OUTSIDE-IN permit tcp host 199.47.136.140 object LAN-SERVER eq
access-list OUTSIDE-IN permit udp host 199.47.136.140 object LAN-SERVER eq
access-list OUTSIDE-IN permit icmp host 199.47.136.140 object LAN-SERVER echo
no sysopt connection permit-vpn
With regards to issuing the command "no sysopt connection permit-vpn",
This is a global setting that will affect ALL the VPN connections on the device. What the above setting will essentially do is require any connection that is taken from the VPN remote networks to be allowed in the "outside" inteface ACL. Just like any traffic coming from the Internet through the "outside" interface.
Why I would suggest using this command is the fact that since you are (to my understanding) connection to a remote site that is not part of your companys network, you probably would want to control what connections they can take to your server rather than just allow anything to your server (which leaving out the above command would mean).
Any future VPN Client or L2L VPN connections would also require their own ACL rules in the current "outside" interface ACL if the remote networks need to initiate connections to your network but that is just like allowing traffic from the Internet so there should be no problem.
The setting mentioned above is a global setting, so as I said, it affects all VPN connections. It can't be configured per VPN Connection. For that you would need to use VPN Filter ACL and thats a different story again.
- Jouni
08-30-2013 08:56 AM
Jouni
As always you are amazing so full of knowledge that continues to amaze me, you are awesome Dude.
You take the complex information and explain so we understand what’s required for implementing the changes.
Do you have a manager I can call and talk to about the level of support you give us?
I really appreciate your help Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: