10-07-2009 01:07 PM
Hi all,
I have a ASA with these settings:
Internal Network: 192.168.1.0 /24
External Interface: AA.183.142.222
Our vendor has an ASA with these settings:
Internal Network: 192.168.50.0 /24
External Interface BB.179.80.108
We wish to create a L2L VPN with our vendor. They require us that when our Internal traffic goes thru the VPN tunnel, that it must be translated to 10.1.0.8/32. So in other words, traffic sourcing from OUR internal network that is destined to the vendor internal network must seem to them like it's coming from 10.1.0.8/32.
A simple diagram would be like so:
192.168.1.0/24---->translate to 10.1.0.8 only for this VPN tunnel---->192.168.50.0/24 (vendor int. network)
Below is how I think I should configure my ASA. Any suggestions would be appreciated.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address AA.183.142.222 255.255.255.224
!
access-list E-MD extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0
access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 5 10.1.0.8 netmask 255.255.255.255
nat (inside) 5 access-list policy-nat
!
crypto map outside_map 20 match address E-MD
crypto map outside_map 20 set peer BB.179.80.108
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
!
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
!
tunnel-group BB.179.80.108 type ipsec-l2l
tunnel-group BB.179.80.108 ipsec-attributes
pre-shared-key XXXXXXXx
Thanks,
SM
10-08-2009 01:25 AM
You config is almost there - now you need to not 're-nat' the VPN traffic after you have already policy natt'd it, add:-
nat (inside) 0 access-list E-MD
This will not nat the traffic from 10.1.0.8 to 192.168.50.0/24 as it enters the VPN tunnel.
Remove:-
global (outside) 5 10.1.0.8 netmask 255.255.255.255
This is not required.
HTH>
10-08-2009 05:40 AM
Thank you for the suggestion!
10-08-2009 05:45 AM
np - glad to help.
10-08-2009 08:36 AM
I used ASDM to create it. You can convert to fit your ACL names.
access-list inside_nat0_outbound extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip host 10.1.0.8 192.168.50.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 5 10.1.0.8 netmask 255.255.255.255
nat (inside) 5 access-list inside_nat_outbound
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer BB.xx.xx.xx
crypto map outside_map 2 set transform-set ESP-3DES-MD5
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: