topic Hi Dinesh, in Network Security

Site-to-Site VPN with Source NAT

haidar_alm — Tue, 12 Mar 2019 07:30:57 GMT

Hi guys,

I'm trying to use ASDM on ASA version 9.5(1) where I need to set up a site to site VPN with my local inside server to be NAT-ed to a different address in order to mitigate IP address Overlapping.

I've seen a few examples using CLI, but I'm wondering what's the best way to do this using ASDM?

I'm aware that this is an overkill since there is no overlap of subnets. However, this is a requirement that I'm trying to work on..

Below are the steps and my thoughts:

My local server for argument's sake is 1.1.1.1, remote server is 2.2.2.2

When I go through the VPN setup, I enter peer IP, local and remote hosts, and I get to NAT Exempt..

I keep this option of NAT Exempt unticked, finalize wizard.

Then, create a Static NAT:

Match Criteria: Original Packet

Source: Inside
Destination: Outside
Source NAT Type: Static
Source Address: Local Server
Destination Address: Remote Server
Service: any

Action: Translated Packet
Source NAT Type: Static
Source Address: In here I put the Mapped IP of 3.3.3.3
Destination Address: Original

Enable Rule
Direction: Both

Am I thinking along the right lines or am I way off the track here?

Any suggestion would be helpful.

Many thanks...
🙂

If you wish to accomplish the

Dinesh Moudgil — Sun, 20 Mar 2016 04:49:31 GMT

If you wish to accomplish the IP 1.1.1.1 to be translated to 3.3.3.3 when you are communicating to 2.2.2.2, then this natting looks correct.

Make sure the crypto access-list is defined from 3.3.3.3 to 2.2.2.2 , rather 1.1.1.1 to 2.2.2.2, as the source will be translated before sending the packet over the tunnel/.

Additionally, you can run packet-tracer to see the packet is traversing the ASA correctly.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Dinesh,

haidar_alm — Mon, 21 Mar 2016 11:34:44 GMT

Hi Dinesh,

Thanks for your reply!
All configured, I'm waiting for other party to configure their end and start testing.

May I ask where I can set the Renegotiation of Phase 2 in seconds?

I've looked and can only find the Phase 1 as per below:

crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

Many thanks,

Hi Haidar,

Aditya Ganjoo — Mon, 21 Mar 2016 11:49:36 GMT

Hi Haidar,

Here is the command to configure the Phase 2 lifetime:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

https://supportforums.cisco.com/document/105381/basic-l2l-configuration-platform-independent-approach#Phase-2_Lifetime_Setting

On ASDM go to the Connection profile edit the connection and go to the advanced tab and expand it.

Click on the crypto map entry tab and you would see the Security association lifetime.

You can enter the desired values and this would change the PHASE-2 lifetime.

Hope it answers your query.

Regards,

Aditya

Please rate helpful posts.

Ah, I saw that earlier but

haidar_alm — Mon, 21 Mar 2016 12:13:52 GMT

Ah, I saw that earlier but wasn't sure if it was for phase 1 or 2.

Will update post once testing is complete.. hopefully all will be good..

Thank you for your help!

🙂

Hi Dinesh,

haidar_alm — Wed, 23 Mar 2016 09:14:15 GMT

Hi Dinesh,

Worked like a treat.. many thanks for your help mate!

🙂

Hi Aditya,

haidar_alm — Wed, 23 Mar 2016 09:14:46 GMT

Hi Aditya,

All done and working, thanks for your assistance mate.

🙂