Solved: Re: Help with PAT VPN Traffic - Page 2

tahirs001 · ‎04-13-2010

Hello,

I was wondering if you can help me on the following scenario please?
I am tasked to setup Site-to-Site (both ends using Cisco ASA5520).
site A has a flat 10 address, 10.0.0.0 and site B has an address of 10.20.90.0
As this is overlapping address space I need to Translate the Interesting Traffic address to a different Subnet
So Interesting Traffic address coming from 10.0.0.0 will be translated to 192.168.67.0 and traffic coming from 10.20.90.0 will be
translated to 192.168.66.0
Once this is setup i need to do host to host mapping for about 12 machines.
Can you have a look over the below config and see if this is correct?

Also when i am configuring Site-to-Site do i have to bring up the tunnel at both ends before i configure the VPN Traffic?

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Thanks

Jennifer Halim · ‎04-13-2010

Crypto ACL on site B would be from site B local LAN towards site A NATed LAN. And the normal NAT exemption on site B.

Here is the sample config:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

droeun141 · ‎04-13-2010

deleted

tahirs001 · ‎04-13-2010

It needs to be done on Both sites.

So shall i go with droeun141 config?

So this will be the config;

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Message was edited by: Tahir Saleem

droeun141 · ‎04-13-2010

Either way will work.

tahirs001 · ‎04-13-2010

I have just tried to configure the site-to-site (Site B) up with the below config, i got to as far as the following command and then it has kicked me out of the remote site

crypto map outside_map interface outside

Any idea's why this would happen?

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

droeun141 · ‎04-13-2010

What address did you connect to on SITE B?

tahirs001 · ‎04-13-2010

I connected to the 10.20.90.X

droeun141 · ‎04-13-2010

Connect to the public address or the new NAT'd address 192.168.66.X.

tahirs001 · ‎04-13-2010

ok thanks,why does it break the connection?

droeun141 · ‎04-13-2010

How were you able to connect to 10.20.90.X from SITE A if the tunnel wasn't configured?

tahirs001 · ‎04-13-2010

I have created a VPN connection for myself....

droeun141 · ‎04-13-2010

Probably because when you applied the crypto map it triggered the policy NAT & rendered 10.20.90.X/24 useless.

tahirs001 · ‎04-13-2010

i will try again tomorrow now.

Thanks for all your help

tahirs001 · ‎04-14-2010

I have configured one part of site-to-site (remote site) with the below config. How do i bring up the Tunnel?

When i do a show crypto ipsec sa and isakmp i get the following message;

There are no ipsec sas and isakmp sas configured.

Also when i try and VPN through the inside interface it does not connect.

thanks

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

droeun141 · ‎04-14-2010

Can you paste the config for site a