02-16-2012 06:23 AM
Dear All,
I Have the following network scenario:
Site1
PC with ip 192.168.1.1/32 included in the VPN
ASA5510 with ip 57.78.77.66/29
Site2
host 194.117.106.129 included in the VPN
ASA5510 with ip 194.39.131.176/30
I need to setup a Site2Site VPN tunnel, between the two ASA.
I need that when the PC 192.168.1.1 try to connect to the host 194.118.107 the source address will be NaTed with static nat (Bidirectional) in 57.78.77.69.
When one of the two site generate traffic the tunnel must be estabilished.
Someone could help me pls?
Best regards,
Igor.
02-16-2012 08:19 AM
Your static nat should look like this:
access-list NET1 extended permit ip host 192.168.1.1 host 194.118.107
static (inside,outside) 57.78.77.69 access-list NET1
------------------------------------------------------------------------------------------
VPN tunnel.
route outside 194.117.106.129 255.255.255.255 xxx.xxx.xxx.xxx <-your-default-gateway-address
route outside 194.39.131.176 255.255.255.255 xxx.xxx.xxx.xxx <-your-default-gateway-address
access-list NONAT extended permit ip host 192.168.1.1 host 194.117.106.129
access-list CRYPTO-ACL1 extended ip host 192.168.1.1 host 194.117.106.129
nat (inside) 0 access-list NONAT
crypto isakmp enable outside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto map static-cryptomap 1 match address CRYPTO-ACL1
crypto map static-cryptomap 1 set peer 194.39.131.176
crypto map static-cryptomap 1 set transform-set ESP-AES-128-SHA
crypto map static-cryptomap interface outside
tunnel-group 194.39.131.176 type ipsec-l2l
tunnel-group 194.39.131.176 ipsec-attributes
pre-shared-key YOUR-PASSWORD-GOES-HERE
------------------------------------------------------------------------------------
Hope that helps
Thanks
Rizwan Rafeek
02-17-2012 02:36 AM
Hi Rizwanr,
I follow your configuration on my Asa, but there is a problem on the static nat, it doesn't work.
The static nat works only if I remove the NONAT ACL.
Why? I suppose that when the NONAT ACL is present the NAT 0 exclude the traffic to be natted until the VPN tunnel do not go up.
The VPN Phase I is ok.
In the phase II I got the error "No SPI to identify Phase 2 SA", I suspect that there are different ACL between the two sites.
I belive that the site N2 ACL has like destination the natted ip 57.78.77.69 and not the real one 192.168.1.1????
Thanks & Regards,
Igor.
02-17-2012 03:50 AM
I have found the right config.
The problem was that the:
access-list CRYPTO-ACL1 extended ip host 192.168.1.1 host 194.117.106.129 was wrong.
The right one is :
access-list CRYPTO-ACL1 extended ip host 57.78.77.69 host 194.117.106.129
and the access list NONAT must be removed cause the Policy Nat do the job.
Best regards,
Igor.
02-17-2012 06:00 AM
Good to hear that things worked out for you.
The vpn tunnel as well?
Can you please copy your final configuration, I would like to see as well?
thanks
02-17-2012 06:16 AM
Yes the VPN seems ok.
The configuration is the equal to the one suggest me by you, the only differences are that the
CRYPTO-ACL1 has like src address the public (traslated address), and this ACL will be configured in the crypto map.
The Nat0 must be disabled.
Sorry I can not post the config, our policy do not permit it.
Thanks & Regards,
Igor.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide