Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8356
Views
0
Helpful
6
Replies

Site-to-Site VPN with Source NAT

Go to solution
haidar_alm
Level 1
Level 1

‎03-19-2016 08:25 AM - edited ‎03-12-2019 12:30 AM

Hi guys,

I'm trying to use ASDM on ASA version 9.5(1) where I need to set up a site to site VPN with my local inside server to be NAT-ed to a different address in order to mitigate IP address Overlapping.

I've seen a few examples using CLI, but I'm wondering what's the best way to do this using ASDM?

I'm aware that this is an overkill since there is no overlap of subnets. However, this is a requirement that I'm trying to work on..

Below are the steps and my thoughts:

My local server for argument's sake is 1.1.1.1, remote server is 2.2.2.2

When I go through the VPN setup, I enter peer IP, local and remote hosts, and I get to NAT Exempt..

I keep this option of NAT Exempt unticked, finalize wizard.

Then, create a Static NAT:

Match Criteria: Original Packet

Source: Inside
Destination: Outside
Source NAT Type: Static
Source Address: Local Server
Destination Address: Remote Server
Service: any

Action: Translated Packet
Source NAT Type: Static
Source Address: In here I put the Mapped IP of 3.3.3.3
Destination Address: Original

Enable Rule
Direction: Both

Am I thinking along the right lines or am I way off the track here?

Any suggestion would be helpful.

Many thanks...
:)

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-19-2016 09:49 PM

If you wish to accomplish the IP 1.1.1.1 to be translated to 3.3.3.3 when you are communicating to 2.2.2.2, then this natting looks correct.

Make sure the crypto access-list is defined from  3.3.3.3 to 2.2.2.2 , rather  1.1.1.1 to 2.2.2.2, as the source will be translated before sending the packet over the tunnel/.

Additionally, you can run packet-tracer to see the packet is traversing the ASA correctly.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to haidar_alm

‎03-21-2016 04:49 AM

Hi Haidar,

Here is the command to configure the Phase 2 lifetime:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

https://supportforums.cisco.com/document/105381/basic-l2l-configuration-platform-independent-approach#Phase-2_Lifetime_Setting

On ASDM go to the Connection profile edit the connection and go to the advanced  tab and expand it.

Click on the crypto map entry tab and you would see the Security association lifetime.

You can enter the desired values and this would change the PHASE-2 lifetime.

Hope it answers your query.

Regards,

Aditya

Please rate helpful posts.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-19-2016 09:49 PM

If you wish to accomplish the IP 1.1.1.1 to be translated to 3.3.3.3 when you are communicating to 2.2.2.2, then this natting looks correct.

Make sure the crypto access-list is defined from  3.3.3.3 to 2.2.2.2 , rather  1.1.1.1 to 2.2.2.2, as the source will be translated before sending the packet over the tunnel/.

Additionally, you can run packet-tracer to see the packet is traversing the ASA correctly.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
haidar_alm
Level 1
Level 1
In response to Dinesh Moudgil

‎03-21-2016 04:34 AM

Hi Dinesh,

Thanks for your reply!
All configured, I'm waiting for other party to configure their end and start testing.

May I ask where I can set the Renegotiation of Phase 2 in seconds?

I've looked and can only find the Phase 1 as per below:

crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

Many thanks,

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to haidar_alm

‎03-21-2016 04:49 AM

Hi Haidar,

Here is the command to configure the Phase 2 lifetime:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

https://supportforums.cisco.com/document/105381/basic-l2l-configuration-platform-independent-approach#Phase-2_Lifetime_Setting

On ASDM go to the Connection profile edit the connection and go to the advanced  tab and expand it.

Click on the crypto map entry tab and you would see the Security association lifetime.

You can enter the desired values and this would change the PHASE-2 lifetime.

Hope it answers your query.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Go to solution
haidar_alm
Level 1
Level 1
In response to Aditya Ganjoo

‎03-21-2016 05:13 AM

Ah, I saw that earlier but wasn't sure if it was for phase 1 or 2.

Will update post once testing is complete.. hopefully all will be good..

Thank you for your help!

:)

0 Helpful

Go to solution
haidar_alm
Level 1
Level 1
In response to Aditya Ganjoo

‎03-23-2016 02:14 AM

Hi Aditya,

All done and working, thanks for your assistance mate.

:)

0 Helpful

Go to solution
haidar_alm
Level 1
Level 1

‎03-23-2016 02:14 AM

Hi Dinesh,

Worked like a treat.. many thanks for your help mate!

:)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card