Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Natting over a Site to Site VPN Tunnel

I have to setup a Site 2 Site tunnel with a business partner and I have 4 seperate networks that need to go to one network on the remote site.

Problen is that I have to NAT one of the source networks to a different network but leave the other 3 alone.

The network I need to NAT is 192.167.127.128/25 and I need to NAT that to 192.168.227.128/25.

How would I NAT the one range but just pass the others through the VPN tunnel?

Thanks

Tom Griep

5 REPLIES

Natting over a Site to Site VPN Tunnel

What version of ASA code are you running?
You would configure policy-based NAT to accomplish this.

New Member

Natting over a Site to Site VPN Tunnel

I am using version 8.2(5)

Natting over a Site to Site VPN Tunnel

For the network that you have to NAT to 192.168.227.128/25, you can do something like this:

access-list policy_nat-192-168-227-128 extended permit ip 192.167.127.128 255.255.255.128 x.x.x.x y.y.y.y

Replace x.x.x.x and y.y.y.y with the destination network IP and mask.

nat (inside) 100 access-list policy_nat-192-168-227-128

global (outside) 100 192.168.227.129-192.168.227.254

This will NAT any traffic destined for the remote networks coming from 192.168.127.128/25 to 192.168.227.128/25

New Member

Re: Natting over a Site to Site VPN Tunnel

Thanks for the help. I added the changes but I still cannot get the tunnel to establish. Problem is that the other site is in a different time zone and I can not debug with them until tomorrow.

Here is my partical config and 2 different packet tracer commands.

object-group network Destination_Network

network-object 10.100.0.0 255.255.255.224

object-group network Source_Network

network-object 172.23.3.0 255.255.255.0

network-object 172.23.8.0 255.255.252.0

network-object 192.168.227.128 255.255.255.128

network-object 192.168.130.0 255.255.255.0

access-list policy_nat-192-168-227-128 extended permit ip 192.168.127.128 255.255.255.128 10.100.0.0 255.255.255.224

access-list outside_cryptomap extended permit ip object-group Source_Network object-group Destination_Network

pager lines 24

logging enable

logging asdm-buffer-size 512

logging asdm debugging

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 100 192.168.227.129-192.168.227.254

nat (inside) 100 access-list policy_nat-192-168-227-128

route outside 0.0.0.0 0.0.0.0 74.5.212.1 1

route inside 172.23.3.0 255.255.255.0 192.168.130.1 1

route inside 172.23.8.0 255.255.252.0 192.168.130.1 1

route inside 192.168.127.128 255.255.255.128 192.168.130.1 1

route inside 192.168.227.128 255.255.255.128 192.168.130.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map4 1 match address outside_cryptomap

crypto map outside_map4 1 set pfs

crypto map outside_map4 1 set peer 195.150.180.12

crypto map outside_map4 1 set transform-set ESP-AES-256-SHA

crypto map outside_map4 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 60

ssh version 2

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

username cisco password C79oagi8z6r8y2ju encrypted

tunnel-group 195.150.180.12 type ipsec-l2l

tunnel-group 195.150.180.12 ipsec-attributes

pre-shared-key *****

Packettracer output

packet-tracer input inside tcp 172.23.8.200 3200 10.100.0.10 3200  

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

asa5510-6# 

asa5510-6#

asa5510-6# packet-tracer input inside tcp 192.168.127.150 3200 10.100.0.10 3200

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 100 access-list policy_nat-192-168-227-128

  match ip inside 192.168.127.128 255.255.255.128 outside 10.100.0.0 255.255.255.224

    dynamic translation to pool 100 (192.168.227.129 - 192.168.227.254)

    translate_hits = 3, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.127.150/0 to 192.168.227.144/0 using netmask 255.255.255.255

Phase: 4

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 100 access-list policy_nat-192-168-227-128

  match ip inside 192.168.127.128 255.255.255.128 outside 10.100.0.0 255.255.255.224

    dynamic translation to pool 100 (192.168.227.129 - 192.168.227.254)

    translate_hits = 3, untranslate_hits = 0

Additional Information:

Phase: 5

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Let me know if that helps any.

At least the policy NAT is making it further.

Thanks.

Re: Natting over a Site to Site VPN Tunnel

If you do show crypto ipsec sa peer 195.150.180.12

I would imagine you will see an SA built for that traffic with encapsulated packets but decapsulated packets at 0.  The configuration looks fine to me from quickly glancing at it.  It is likely the remote end needs to permit the return traffic to the NAT'd subnet to go across the VPN.

133
Views
0
Helpful
5
Replies