Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with PAT VPN Traffic

Hello,


I was wondering if you can help me on the following scenario please?
I am tasked to setup Site-to-Site (both ends using Cisco ASA5520).
site A has a  flat 10 address, 10.0.0.0 and site B has an address of 10.20.90.0
As this is overlapping address space I need to Translate the Interesting Traffic address to a different Subnet
So Interesting Traffic address coming from 10.0.0.0 will be translated to 192.168.67.0 and traffic coming from 10.20.90.0 will be
translated to 192.168.66.0
Once this is setup i need to do host to host mapping for about 12 machines.
Can you  have a look over the below config and see if this is correct?


Also when i am configuring Site-to-Site do i have to bring up the tunnel at both ends before i configure the VPN Traffic?

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Help with PAT VPN Traffic

Reply sent

39 REPLIES
Cisco Employee

Re: Help with PAT VPN Traffic

Is your 10.0.0.0 subnet class A or class C? What is the subnet mask for the 10.0.0.0 network? If it is class C, it does not overlap with 10.20.90.0/24.

New Member

Re: Help with PAT VPN Traffic

My 10.0.0.0 is a class A address.

Does my config look ok?

Cisco Employee

Re: Help with PAT VPN Traffic

Base on your config, I assume you only want traffic to be encrypted from 10.0.0.0/24 subnet, right?

You also need the following static statement:

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

Here is the sample config for your reference:

PIX: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

IOS:http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

(The concept is the same, there is no sample config on ASA later version).

New Member

Re: Help with PAT VPN Traffic

No, I need traffic encrypted from both ends.

the config that i posted was for site B.

I have followed the following document;

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Cisco Employee

Re: Help with PAT VPN Traffic

That config guide that you use only translate 1 site, not the other. And it is not an overlapping LAN scenario.

New Member

Re: Help with PAT VPN Traffic

Overall what do i need to add to my config so i can get both sites to Translate?

Cisco Employee

Re: Help with PAT VPN Traffic

As advised earlier, here is what you need to add:

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

New Member

Re: Help with PAT VPN Traffic

Ok thanks, one more thing shall i remove the following statement or keep this in?

static (inside,outside) 192.168.66.0  access-list policy-nat

Cisco Employee

Re: Help with PAT VPN Traffic

You need to keep that.

New Member

Re: Help with PAT VPN Traffic

thanks for your help

Tahir

New Member

Re: Help with PAT VPN Traffic

If you need translation on both sides - this is what you need:

SITE A:

access-list VPN_Traffic extended permit ip 192.168.67.0 255.255.255.0 192.168.66.0 255.255.255.0
access-list policy-nat extended permit ip 10.0.0.0 255.255.255.0 10.12.90.0 255.255.255.0
static (inside,outside) 192.168.67.0 access-list policy-nat


SITE B:

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.12.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0 access-list policy-nat

New Member

Re: Help with PAT VPN Traffic

Hi,

Do i have to add this following statement;

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0

Cisco Employee

Re: Help with PAT VPN Traffic

There are 2 ways you can configure it:

1) Source and destination NAT as per the initial configuration advise --> NAT only needs to be configured on 1 site

OR/

2) Source NAT as per droeun141 advise --> source NAT needs to be configured on both sites.

New Member

Re: Help with PAT VPN Traffic

Cool, I didn't know there was more than one way to do it.

For source & destination NAT - what should the crypto ACL look like for SITE B? do you use the outside local or global address for destination?

Cisco Employee

Re: Help with PAT VPN Traffic

Crypto ACL on site B would be from site B local LAN towards site A NATed LAN. And the normal NAT exemption on site B.

Here is the sample config:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

New Member

Re: Help with PAT VPN Traffic

deleted

New Member

Re: Help with PAT VPN Traffic

It needs to be done on Both sites.

So shall i go with droeun141 config?

So this will be the config;

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Message was edited by: Tahir Saleem

New Member

Re: Help with PAT VPN Traffic

Either way will work.

New Member

Re: Help with PAT VPN Traffic

I have just tried to configure the site-to-site (Site B) up with the below config, i got to as far as the following command and then it has kicked me out of the remote site

crypto map outside_map interface outside

Any idea's why this would happen?

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat
static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

New Member

Re: Help with PAT VPN Traffic

What address did you connect to on SITE B?

New Member

Re: Help with PAT VPN Traffic

I connected to the 10.20.90.X

New Member

Re: Help with PAT VPN Traffic

Connect to the public address or the new NAT'd address 192.168.66.X.

New Member

Re: Help with PAT VPN Traffic

ok thanks,why does it break the connection?

New Member

Re: Help with PAT VPN Traffic

How were you able to connect to 10.20.90.X from SITE A if the tunnel wasn't configured?

New Member

Re: Help with PAT VPN Traffic

I have created a VPN connection for myself....

New Member

Re: Help with PAT VPN Traffic

Probably because when you applied the crypto map it triggered the policy NAT & rendered 10.20.90.X/24 useless.

New Member

Re: Help with PAT VPN Traffic

i will try again tomorrow now.

Thanks for all your help

New Member

Re: Help with PAT VPN Traffic

I have configured one part of site-to-site (remote site) with the below config. How do i bring up the Tunnel?

When i do a show crypto ipsec sa and isakmp i get the following message;

There are no ipsec sas and isakmp sas configured.

Also when i try and VPN through the inside interface it does not connect.

thanks

access-list VPN_Traffic extended permit ip 192.168.66.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list policy-nat extended permit ip 10.20.90.0 255.255.255.0 10.0.0.0 255.255.255.0
static (inside,outside) 192.168.66.0  access-list policy-nat

static (outside,inside) 192.168.67.0 10.0.0.0 netmask 255.255.255.0
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address VPN_Traffic
crypto map outside_map 20 set peer  1.1.1.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

New Member

Re: Help with PAT VPN Traffic

Can you paste the config for site a

410
Views
10
Helpful
39
Replies
CreatePlease login to create content