VPN Site2Site with static Nat

ifabrizio · ‎02-16-2012

Dear All,

I Have the following network scenario:

Site1

PC with ip 192.168.1.1/32 included in the VPN

ASA5510 with ip 57.78.77.66/29

Site2

host 194.117.106.129 included in the VPN

ASA5510 with ip 194.39.131.176/30

I need to setup a Site2Site VPN tunnel, between the two ASA.

I need that when the PC 192.168.1.1 try to connect to the host 194.118.107 the source address will be NaTed with static nat (Bidirectional) in 57.78.77.69.

When one of the two site generate traffic the tunnel must be estabilished.

Someone could help me pls?

Best regards,

Igor.

rizwanr74 · ‎02-16-2012

Your static nat should look like this:

access-list NET1 extended permit ip host 192.168.1.1 host 194.118.107

static (inside,outside) 57.78.77.69 access-list NET1

------------------------------------------------------------------------------------------

VPN tunnel.

route outside 194.117.106.129 255.255.255.255 xxx.xxx.xxx.xxx <-your-default-gateway-address
route outside 194.39.131.176 255.255.255.255 xxx.xxx.xxx.xxx <-your-default-gateway-address

access-list NONAT extended permit ip host 192.168.1.1 host 194.117.106.129

access-list CRYPTO-ACL1 extended ip host 192.168.1.1 host 194.117.106.129

nat (inside) 0 access-list NONAT

crypto isakmp enable outside

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

crypto map static-cryptomap 1 match address CRYPTO-ACL1
crypto map static-cryptomap 1 set peer 194.39.131.176
crypto map static-cryptomap 1 set transform-set ESP-AES-128-SHA

crypto map static-cryptomap interface outside

tunnel-group 194.39.131.176 type ipsec-l2l
tunnel-group 194.39.131.176 ipsec-attributes
pre-shared-key YOUR-PASSWORD-GOES-HERE

------------------------------------------------------------------------------------

Hope that helps

Thanks

Rizwan Rafeek

ifabrizio · ‎02-17-2012

Hi Rizwanr,

I follow your configuration on my Asa, but there is a problem on the static nat, it doesn't work.

The static nat works only if I remove the NONAT ACL.

Why? I suppose that when the NONAT ACL is present the NAT 0 exclude the traffic to be natted until the VPN tunnel do not go up.

The VPN Phase I is ok.

In the phase II I got the error "No SPI to identify Phase 2 SA", I suspect that there are different ACL between the two sites.

I belive that the site N2 ACL has like destination the natted ip 57.78.77.69 and not the real one 192.168.1.1????

Thanks & Regards,

Igor.

ifabrizio · ‎02-17-2012

I have found the right config.

The problem was that the:

access-list CRYPTO-ACL1 extended ip host 192.168.1.1 host 194.117.106.129 was wrong.

The right one is :

access-list CRYPTO-ACL1 extended ip host 57.78.77.69 host 194.117.106.129

and the access list NONAT must be removed cause the Policy Nat do the job.

Best regards,

Igor.

rizwanr74 · ‎02-17-2012

Good to hear that things worked out for you.

The vpn tunnel as well?

Can you please copy your final configuration, I would like to see as well?

thanks

ifabrizio · ‎02-17-2012

Yes the VPN seems ok.

The configuration is the equal to the one suggest me by you, the only differences are that the

CRYPTO-ACL1 has like src address the public (traslated address), and this ACL will be configured in the crypto map.

The Nat0 must be disabled.

Sorry I can not post the config, our policy do not permit it.

Thanks & Regards,

Igor.