topic Re: NAT internal address before passing to VPN in VPN

NAT internal address before passing to VPN

Greg Dickinson — Fri, 27 Jul 2012 03:13:49 GMT

Hi all,

I've been tasked with retiring a VPN Concentrator 3000 and replacing it with an ASA 5520. I'm trying to get a handle on how to set up the NATs and ACLs, since most of my experience is remote access VPNs, not site-to-site. Plus I've not configured a VPN 3000 in about 6 years so I'm having to re-learn a lot of the interface.

The VPN 3000 has a feature called LAN-to-LAN NAT rules that basically allow you to NAT an address on your internal network to an address on the "local" network for the LAN-to-LAN connection so it can then go through the tunnel to the remote side. The config looks something like this in the VPN 3000:

Source Network Translated Network Remote Network

172.16.3.151 192.168.200.151 10.3.136.0

Which looks to me like a "Static Policy NAT" in ASDM. So I set one of those up, that should be translating 172.16.3.151 on the inside interface to 192.168.200.151 on the inside interface (yes, the same interface) which should then (logically) be picked up as "interesting traffic" by the crypto-map and sent across the VPN tunnel. However, that doesn't seem to be the case - both the "packet trace" in the ASDM and traceroute from the source workstation show the packets getting to the inside interface, and then passed right out the outside interface to the internet router (which then drops the packets as they're a private IP).

I'm sure I've missed something fundamental...what else do I need to do to make the crypto-map pick up the NATted traffic?

Re: NAT internal address before passing to VPN

Javier Portuguez — Fri, 27 Jul 2012 04:47:13 GMT

Hi Greg,

Please attach the running-configuration of your FW.

Thanks in advance.

Portu

Re: NAT internal address before passing to VPN

Greg Dickinson — Fri, 27 Jul 2012 13:19:29 GMT

Here's an (anonymized) coy of the running config. The test tunnel I have set up is between me and the fake IP 12.13.14.66. My PC is 172.16.3.151, which should be NATted to 192.168.168.168 and sent across the tunnel. I know the tunnel is up.

: Saved

: Written by greg.dickinson at 07:59:31.060 CDT Fri Jul 27 2012

ASA Version 8.2(5)13

hostname DCP-5520-01

domain-name westchester.il.revcs.com

enable password [snipped] encrypted

passwd [snipped] encrypted

names

name 1.2.3.189 RAPP2 description RemoteApp TS Gateway

name 10.199.1.191 Int_RAPP description RemoteApp Employee Server

name 10.199.1.192 Int_RAPP2 description RemoteApp Client Server

dns-guard

interface GigabitEthernet0/0

description **Telx Level 3 Outside Interface**

nameif outside

security-level 0

ip address 1.2.3.190 255.255.255.192

ospf cost 10

interface GigabitEthernet0/1

description **Data Center Inside Interface**

speed 100

duplex full

nameif inside

security-level 100

ip address 10.199.7.250 255.255.248.0

ospf cost 10

interface GigabitEthernet0/2

description **Data Center DMZ Interface**

nameif dmz

security-level 50

ip address 10.199.8.250 255.255.255.0

ospf cost 10

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

description **Data Center 5520 Mgmt Interface**

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

ospf network point-to-point non-broadcast

management-only

banner exec $(hostname).$(domain)

banner exec Access is monitored and logged

banner asdm RCS Data Center - $(hostname)

banner asdm Access is monitored and logged

boot system disk0:/asa825-13-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup dmz

dns server-group CSI

name-server 172.16.2.251

domain-name cashretriever.com

dns server-group DefaultDNS

name-server 10.199.1.251

name-server 10.199.3.251

domain-name westchester.il.revcs.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network RemoteApp_Access

description RemoteApp Server RAPP2 accesses

network-object host RAPP2

object-group service TS_Gateway tcp

description RemoteApp TS Gateway access

port-object eq https

port-object eq ssh

port-object eq 3389

object-group network Livevox_Local

description LiveVox local addresses

network-object host 70.36.21.160

network-object host 70.36.21.170

object-group network Livevox_Remote

description LiveVox Remote Addresses

network-object 204.115.206.0 255.255.255.0

network-object host 8.14.80.30

network-object host 8.14.80.32

network-object host 8.14.80.33

network-object host 8.14.80.37

network-object host 8.14.80.39

network-object host 8.14.80.54

network-object host 8.14.80.62

object-group network HCH_Local

network-object 192.168.249.0 255.255.255.0

object-group network HCH_Remote

network-object 128.1.0.0 255.255.0.0

network-object 172.16.46.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group HCH_Local object-group HCH_Remote

access-list inside_nat0_outbound extended permit ip object-group HCH_Local object-group HCH_Remote

access-list inside_nat0_outbound extended permit ip host 192.168.168.168 10.10.0.0 255.255.0.0

access-list RCSAdmin_splitTunnelAcl standard permit 10.199.0.0 255.255.248.0

access-list RCSAdmin_splitTunnelAcl standard permit 172.16.0.0 255.255.255.248

access-list RCSAdmin_splitTunnelAcl standard permit 192.168.167.0 255.255.255.0

access-list RCS_RA_VPN_splitTunnelAcl remark Chicago PC Network

access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.167.0 255.255.255.0

access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.165.0 255.255.255.0

access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0

access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.5.0 255.255.255.252

access-list RCS_RA_VPN_splitTunnelAcl remark Birmingham Subnet

access-list RCS_RA_VPN_splitTunnelAcl standard permit 172.16.0.0 255.255.255.248

access-list RCS_RA_VPN_splitTunnelAcl remark Point-to-Point Interfaces

access-list RCS_RA_VPN_splitTunnelAcl standard permit 10.255.255.0 255.255.255.240

access-list RCS_RA_VPN_splitTunnelAcl remark Data Center Subnet

access-list RCS_RA_VPN_splitTunnelAcl standard permit 10.199.0.0 255.255.240.0

access-list outside_2_cryptomap extended permit ip host 192.168.168.168 10.10.0.0 255.255.0.0

access-list RCS_RA_splitClient standard permit host Int_RAPP

access-list RCS_RA_splitClient standard permit host Int_RAPP2

access-list inside_nat_static extended permit ip host 172.16.3.151 10.10.0.0 255.255.0.0

access-list ACL_Remote_APP webtype permit url rdp://10.199.1.191 log default

access-list ACL_Remote_APP webtype permit url

https://10.199.1.192

log default

pager lines 24

logging enable

logging monitor informational

logging buffered informational

logging asdm informational

logging from-address

dcp-5520-asa@revcs.com

logging recipient-address

network@revcs.com

level errors

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool RCS_AnyConnect_Pool 10.199.2.232-10.199.2.250 mask 255.255.255.255

ip local pool DMZ_AnyConnect 10.199.8.50-10.199.8.75

no failover

no monitor-interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-647.bin

asdm location Int_RAPP 255.255.255.255 inside

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) RAPP2 Int_RAPP2 netmask 255.255.255.255

static (inside,inside) 192.168.168.168 access-list inside_nat_static

route outside 0.0.0.0 0.0.0.0 1.2.3.129 1

route inside 10.255.255.0 255.255.255.0 10.199.7.1 1

route inside 172.16.0.0 255.255.248.0 10.199.7.1 1

route inside 192.168.167.0 255.255.255.0 10.199.7.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol nt

aaa-server AD (inside) host 10.199.1.251

nt-auth-domain-controller RCS-DC-01

aaa-server AD (inside) host 10.199.3.251

nt-auth-domain-controller CHI-DC-01

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.199.1.251

key [snipped]

authentication-port 1812

accounting-port 1813

acl-netmask-convert auto-detect

aaa-server RADIUS (inside) host 172.16.2.251

key [snipped]

authentication-port 1812

accounting-port 1813

aaa-server AD2003 protocol ldap

aaa-server AD2003 (inside) host 10.199.1.251

ldap-base-dn [snipped]

server-type microsoft

aaa-server AD2003 (inside) host 192.168.167.251

ldap-base-dn [snipped]

server-type microsoft

aaa-server AD2008 protocol ldap

aaa-server AD2008 (inside) host 10.199.1.251

server-type microsoft

aaa authentication enable console AD LOCAL

aaa authentication http console AD LOCAL

aaa authentication ssh console AD LOCAL

aaa authentication secure-http-client

aaa authentication listener https outside port https

http server enable

http 172.16.0.0 255.255.248.0 inside

http 10.199.0.0 255.255.248.0 inside

http 192.168.1.0 255.255.255.0 management

http redirect outside 80

snmp-server host inside 10.199.1.199 community revcs-161V version 2c

snmp-server location Data Center

snmp-server contact

network@revcs.com

snmp-server community revcs-161D

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 5.6.7.225

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 12.13.14.66

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

network@revcs.com

subject-name CN=DCP-5520-01,O=Revenue Cycle Solutions

serial-number

proxy-ldc-issuer

crl configure

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca server

shutdown

database path disk0:/

smtp from-address

DCP-5520-01@revcs.com

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca [snipped]

quit

crypto ca certificate chain ASDM_TrustPoint0

certificate [snipped]

quit

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca [snipped]

quit

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto isakmp policy 25

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 35

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 45

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 55

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 75

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh 172.16.0.0 255.255.248.0 inside

ssh 10.199.0.0 255.255.248.0 inside

ssh 192.168.167.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 15

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 130.126.24.24

ntp server 10.199.7.1 source inside prefer

ntp server 130.126.24.53 source dmz

ntp server 130.126.24.44

tftp-server inside 10.199.1.199 Configs/

ssl trust-point ASDM_TrustPoint0 inside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

enable inside

svc image disk0:/anyconnect-win-3.0.5075-k9.pkg 1

svc profiles RCSAdmin_AnyConnect_Profile disk0:/rcsadmin_anyconnect_profile.xml

svc profiles RCSClient_AnyConnect_Profile disk0:/rcsclient_anyconnect_profile.xml

svc enable

port-forward Client_RAPP_Server 2080 10.199.1.192 https RAPP2 TS Web Access Server Page

port-forward RCS_RAPP_Server 2081 10.199.1.191 https RCS Employee RemoteApp Server Access

tunnel-group-list enable

group-policy RCSAdmin internal

group-policy RCSAdmin attributes

wins-server none

dns-server value 10.199.1.251 10.199.3.251

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RCS_RA_VPN_splitTunnelAcl

default-domain value westchester.il.revcs.com

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout none

ip-phone-bypass disable

leap-bypass disable

nem disable

address-pools value RCS_AnyConnect_Pool

client-firewall none

client-access-rule none

webvpn

homepage none

svc dtls enable

svc mtu 1406

svc keep-installer installed

svc keepalive 20

svc dpd-interval client 30

svc dpd-interval gateway 30

svc compression none

svc modules value dart

svc profiles value RCSAdmin_AnyConnect_Profile

svc ask enable default svc timeout 15

customization value DfltCustomization

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.

svc df-bit-ignore disable

group-policy DfltGrpPolicy attributes

dns-server value 10.199.1.251 10.199.3.251

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RCS_RA_splitClient

default-domain value westchester.il.revcs.com

split-dns value westchester.il.revcs.com revcs.com cashretriever.com

address-pools value RCS_AnyConnect_Pool

webvpn

svc profiles value RCSClient_AnyConnect_Profile

svc ask none default svc

group-policy LiveVox_VPN internal

group-policy LiveVox_VPN attributes

vpn-tunnel-protocol IPSec

group-policy HCH_L2L_VPN internal

group-policy HCH_L2L_VPN attributes

vpn-tunnel-protocol l2tp-ipsec

username admin password [snipped] encrypted privilege 15

username support password [snipped] encrypted privilege 15

username gilbert.martin password [snipped] encrypted privilege 15

username will.banister password [snipped] encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool (dmz) DMZ_AnyConnect

address-pool RCS_AnyConnect_Pool

authentication-server-group AD LOCAL

authentication-server-group (dmz) AD

accounting-server-group RADIUS

password-management password-expire-in-days 5

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group AD LOCAL

tunnel-group 5.6.7.225 type ipsec-l2l

tunnel-group 5.6.7.225 general-attributes

default-group-policy HCH_L2L_VPN

tunnel-group 5.6.7.225 ipsec-attributes

pre-shared-key [snipped]

tunnel-group 8.9.10.125 type ipsec-l2l

tunnel-group 8.9.10.125 ipsec-attributes

pre-shared-key [snipped]

tunnel-group RCS-AnyConnect type remote-access

tunnel-group RCS-AnyConnect general-attributes

address-pool (inside) RCS_AnyConnect_Pool

address-pool RCS_AnyConnect_Pool

authentication-server-group AD LOCAL

authentication-server-group (inside) AD

accounting-server-group RADIUS

default-group-policy RCSAdmin

password-management password-expire-in-days 5

tunnel-group RCS-AnyConnect webvpn-attributes

group-alias RCS_AnyConnect enable

tunnel-group 12.13.14.66 type ipsec-l2l

tunnel-group 12.13.14.66 ipsec-attributes

pre-shared-key [snipped]

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

smtp-server 10.199.8.188

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8ddd612ce980d489fb8b4690a9a847c2

: end

Re: NAT internal address before passing to VPN

nkarthikeyan — Fri, 27 Jul 2012 15:54:13 GMT

Hi Greg,

Yes. You can get that done but you need to do nat for the crypto acl simply. but the crypto acl from the other end should get pointed to the nat ip address of yours. I will be posting you an example in next post

Please do rate for the helpful posts.

Karthik

Re: NAT internal address before passing to VPN

nkarthikeyan — Fri, 27 Jul 2012 16:12:27 GMT

Hi,

access-list vpnout extended permit ip object-group localnet_sn object-group ETNW (ACL for PAT)

access-list vpnpat extended permit ip object-group S2S_PAT object-group ETNW (ACL for VPN crypto)

global (outside) 5 10.98.203.112-10.98.203.125 netmask 255.255.255.240

nat (inside) 5 access-list vpnout

crypto map site2 10 match address vpnpat

Please do rate for the helpful posts.

Karthik

Re: NAT internal address before passing to VPN

Greg Dickinson — Fri, 27 Jul 2012 16:27:50 GMT

Thanks Karthik... I guess the only questions I have are what do the various object-groups represent?

Localnet_sn, S2S_PAT, and ETNW?

Re: NAT internal address before passing to VPN

nkarthikeyan — Sat, 28 Jul 2012 04:39:22 GMT

Hi Greg Dickinson,

This is the scenario. You may have multiple object groups in your scenario can be done.

Your original LAN IP to the Site -B LAN IP permit acl should be used for NAT/PAT.

access-list NAT_ACLpermit ip 172.16.3.0 255.255.255.0 10.3.136.0 255.255.255.0

static (inside,outside) 192.168.200.0 255.255.255.0 access-list NAT_ACL

access-list CryptoACL permit ip 192.168.200.0 255.255.255.0 10.3.136.0 255.255.255.0

crypto map outside_map 1 match address CryptoACL

Your NAT/PAT IP to LAN IP subnet/IP's @ Site B will be the Cryptoacl for VPN.

So whenever you hit a traffic for site to site from you LAN it will hit the NAT/PAT and get translated.

Then your crypto acl will be with your PAT IP and it should in sync with the Site B.

Please do rate for the helpful posts.

Karthik

Re: NAT internal address before passing to VPN

Greg Dickinson — Sat, 28 Jul 2012 16:56:24 GMT

That's the missing link. Thanks for the help!