04-13-2010 03:16 AM
Hello,
I was wondering if you can help me on the following scenario please?
I am tasked to setup Site-to-Site (both ends using Cisco ASA5520).
site A has a flat 10 address, 10.0.0.0 and site B has an address of 10.20.90.0
As this is overlapping address space I need to Translate the Interesting Traffic address to a different Subnet
So Interesting Traffic address coming from 10.0.0.0 will be translated to 192.168.67.0 and traffic coming from 10.20.90.0 will be
translated to 192.168.66.0
Once this is setup i need to do host to host mapping for about 12 machines.
Can you have a look over the below config and see if this is correct?
Also when i am configuring Site-to-Site do i have to bring up the tunnel at both ends before i configure the VPN Traffic?
access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
Thanks
Solved! Go to Solution.
04-13-2010 06:08 AM
Crypto ACL on site B would be from site B local LAN towards site A NATed LAN. And the normal NAT exemption on site B.
Here is the sample config:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
04-13-2010 05:49 AM
deleted
04-13-2010 06:35 AM
It needs to be done on Both sites.
So shall i go with droeun141 config?
So this will be the config;
access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
Message was edited by: Tahir Saleem
04-13-2010 06:39 AM
Either way will work.
04-13-2010 07:34 AM
I have just tried to configure the site-to-site (Site B) up with the below config, i got to as far as the following command and then it has kicked me out of the remote site
crypto map outside_map interface outside
Any idea's why this would happen?
access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
04-13-2010 07:58 AM
What address did you connect to on SITE B?
04-13-2010 08:05 AM
I connected to the 10.20.90.X
04-13-2010 08:10 AM
Connect to the public address or the new NAT'd address 192.168.66.X.
04-13-2010 08:14 AM
ok thanks,why does it break the connection?
04-13-2010 08:29 AM
How were you able to connect to 10.20.90.X from SITE A if the tunnel wasn't configured?
04-13-2010 08:38 AM
I have created a VPN connection for myself....
04-13-2010 08:47 AM
Probably because when you applied the crypto map it triggered the policy NAT & rendered 10.20.90.X/24 useless.
04-13-2010 08:49 AM
i will try again tomorrow now.
Thanks for all your help
04-14-2010 03:17 AM
I have configured one part of site-to-site (remote site) with the below config. How do i bring up the Tunnel?
When i do a show crypto ipsec sa and isakmp i get the following message;
There are no ipsec sas and isakmp sas configured.
Also when i try and VPN through the inside interface it does not connect.
thanks
access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
04-14-2010 03:52 AM
Can you paste the config for site a
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: