Solved: Cisco ASA 5510 IPSEC

Hassan Ali Hassan Ali Gazal · ‎08-15-2015

Dears,

I have two Cisco ASA 5510 in two different sites. I have created IPSEC tunnel between them and work fine, where i can ping Local Hosts from both sides.

Site 1 Local network is : 192.168.1.0/24

Site 2 Local network is : 172.16.10.0/24

The issue is, in site 2 there is only on Server has an IP "192.168.1.10" and they don't need to change it's IP address. so from site 1 i can't reach this IP address as it's overlap with site 1 network. so when site1 need to access this server i need them to access 10.10.10.10 which should be translated to 192.168.1.10 in site 2. so i tried to make static NAT but it's not working.

actually am beginner in ASA so am using only ASDM. so can any one help me in this issue please

rizwanr74 · ‎08-15-2015

You can try a policy-static nat as follows at site 2.

access-list pnat1 extended permit ip host 192.168.1.10 192.168.1.0 255.255.255.0
static (inside,outside) 10.10.10.10 access-list pnat1

Now you incorporate host: 10.10.10.10 in the crypto ACL and DO NOT add host: 10.10.10.10 for nat examption.

If users at site 2, want access to host: 192.168.1.10, then you will have problem, however they maybe able to access with this ip 10.10.10.10 instead.

thanks.

View solution in original post

rizwanr74 · ‎08-18-2015

Maybe ping is disabled on this host, see if RDP is enable and try RDP to host address.

View solution in original post

rizwanr74 · ‎08-15-2015

Hello Br. Hassan,

You can had a static-route on your ASA to push the traffic for IP: 192.168.1.10 towards ASA's gateway address on mask /32, likewise you would another static-route (192.168.1.10/32) on your internal switch push the traffic toward ASA's inside address, so that it will be captured by ASA's crypto engine.

on site1 ASA: route outside 192.168.1.10 255.255.255.255 x.x.x.x = assume this your ASA's gateway address.

On your internal switch at site1: add static route: 192.168.1.10 255.255.255.255 y.y.y.y = ASA's inside address.

at site1, now you incorporate host ip: 192.168.1.10/32 in the same tunnel crypto-acl and nat-exempt for tunnel bound traffic and modify the tunnel at both ends to permit the traffic for IP:192.168.1.10.

for site one this IP: 192.168.1.10 is remote host.

for site two: this IP: 192.168.1.10 is local host.

thanks

Rizwan Rafeek

Hassan Ali Hassan Ali Gazal · ‎08-15-2015

Thanks for your answer, but this is not what i need.

i need to translate 192.168.1.10 to be 10.10.10.10 when this host is accessing site 2

how to do NAT on firewall ??

Please check the attached diagram

rizwanr74 · ‎08-15-2015

One I suggested you is the simplest solution.

what is your firewall version?

Hassan Ali Hassan Ali Gazal · ‎08-15-2015

Cisco ASA 5510 with version 8.2

rizwanr74 · ‎08-15-2015

You can try a policy-static nat as follows at site 2.

access-list pnat1 extended permit ip host 192.168.1.10 192.168.1.0 255.255.255.0
static (inside,outside) 10.10.10.10 access-list pnat1

Now you incorporate host: 10.10.10.10 in the crypto ACL and DO NOT add host: 10.10.10.10 for nat examption.

If users at site 2, want access to host: 192.168.1.10, then you will have problem, however they maybe able to access with this ip 10.10.10.10 instead.

thanks.

Hassan Ali Hassan Ali Gazal · ‎08-16-2015

i tried your solution but it's not working

access-list inside_nat_static line 1 extended permit ip host 192.168.1.10 192.168.1.0 255.255.255.0

static (inside,Outside) 10.10.10.10 access-list inside_nat_static

could you please check and feedback

rizwanr74 · ‎08-16-2015

Hello Hassan,

Tell me your subnet (192.168.1.0/24) is directally connected interface on ASA found at site2?

Hassan Ali Hassan Ali Gazal · ‎08-17-2015

actually to make it easy they changed the subnet but i still need to make nating

now i need any one in subnet 192.168.1.0/24 need to access 172.16.10.20... i need him first access 10.10.10.10 which should be translated in other side to 172.16.10.20

in my site 1 subent "192.168.1.0/24" in the crypto ACL i allowed :

Local Network : 192.168.1.0/24

Remote Net :10.10.10.10 , 172.16.10.0/24

and here i add NAT-Exempted :

access-list inside_nat0_outbound line 10 extended permit ip 192.168.1.0 255.255.255.0 host 10.10.10.10

access-list inside_nat0_outbound line 10 extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

in site 2 subent "172.16.10.0/24" in the crypto ACL i allowed:

Local Net : 10.10.10.10 , 172.16.10.0/24

Remote Net : 192.168.1.0/24

and i add here static Policy NAT:

access-list inside_nat_static line 1 extended permit ip host 172.16.10.20 192.168.1.0 255.255.255.0
static (inside,Outside) 10.10.10.10 access-list inside_nat_static

Also

please find the attached updated diagram, and note that all subnet in two sites are terminated on L3 Switch not directly on Firewall

rizwanr74 · ‎08-17-2015

Hello Hassan

You said: "actually to make it easy they changed the subnet but i still need to make nating"

I assume that your host (192.168.1.10) at site 2 now has an IP address: 172.16.10.20, in which case you don't need any policy-nat but just incorprate both subnets in the crypto acl and include them for nat-examption you should be good.

thanks

Hassan Ali Hassan Ali Gazal · ‎08-17-2015

yes you are right but i still need Static NAT Policy as we will apply it in another scenario, so can you please check my above configuration and tell me what is the wrong

i mean lets stay i need any host in 192.168.1.0 when need to access 172.16.10.20 he call 10.10.10.10 which will be translated to actual IP 172.16.10.20. so can you please work on this case

rizwanr74 · ‎08-18-2015

Hello Hassan,

"i mean lets stay i need any host in 192.168.1.0 when need to access 172.16.10.20 he call 10.10.10.10 which will be translated to actual IP 172.16.10.20. so can you please work on this case"

What you have below is the correct config for static-policy-nat and remeber this policy-nat will kick-in only for users accessing from this subnet: 192.168.1.0/24 alone. Policy-nat is a conditional nat, when condition is met firewall will nat the accordingly.

access-list inside_nat_static line 1 extended permit ip host 172.16.10.20 192.168.1.0 255.255.255.0
static (inside,Outside) 10.10.10.10 access-list inside_nat_static

Be sure to add a static-route to push subnet 192.168.1.0/24 towards to ASA's default-gateway address.

Thanks

Hassan Ali Hassan Ali Gazal · ‎08-18-2015

i applied access list above in Site 2 and also for static route, but i still can't ping 10.10.10.10

rizwanr74 · ‎08-18-2015

Maybe ping is disabled on this host, see if RDP is enable and try RDP to host address.

Hassan Ali Hassan Ali Gazal · ‎08-20-2015

Thanks My friend its work fine