Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
5
Helpful
7
Replies

IPSec L2L and NAT

Go to solution
Statically
Level 1
Level 1

‎10-08-2012 08:25 AM - edited ‎03-11-2019 05:06 PM

Good afternoon,

Sorry for asking such a beginner question but I am running a little short on time so thought I would post in here as you are always so very helpful while researching myself.

I have two ASAs set up in a lab which I have set up a Site-to-Site VPN and all is well. I also need to add PAT to the devices so any traffic not destined for the VPN go out to the default route on the ASA. The problem is whenever I add the typical PAT command of

Nat (inside,outside) source dynamic NAT interface (with NAT being a network object of my subnet)

or similar, this instantly stops any traffic flowing down the VPN. Excuse my novice-ness, any help would be greatly appreciated as I am sure I am not using my brain here!

Kind regards,

Sam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Statically

‎10-08-2012 11:35 AM

Hello Sam,

Where is the NAT setup??

Anyway, here is what you need

object network local_lan

subnet 10.240.0.0 255.255.255.0

object network remote-lan

subnet 10.240.1.0 255.255.255.0

nat (inside,outside) source static local_lan local_lan destination static remote-lan remote-lan

nat (inside,outside) source dynamic any interface

Any other question..Sure..Just remember to rate all of my helpful answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Statically
Level 1
Level 1

‎10-08-2012 08:30 AM

Apologies these are two 5505s and using 8.4.

0 Helpful

Go to solution
Statically
Level 1
Level 1
In response to Statically

‎10-08-2012 08:48 AM

Also - running config, as you can see I used ASDM for the VPN, just for speed purposes -

ASA Version 8.4(4)1
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif outside
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 10.240.0.1 255.255.255.0
!
ftp mode passive
object network NAT
subnet 10.240.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.240.0.0 255.255.255.0 10.240                                                                                        .1.0 255.255.255.0
access-list from_outside extended permit icmp any any echo
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.240.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.1.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5                                                                                         ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES                                                                                        P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_192.168.1.2 internal
group-policy GroupPolicy_192.168.1.2 attributes
vpn-tunnel-protocol ikev1 ikev2
username planetadmin password HQcYarQj.Yoy8WE9 encrypted privilege 15
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 general-attributes
default-group-policy GroupPolicy_192.168.1.2
tunnel-group 192.168.1.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                        CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:86b9d6214f504d9ca205b610613c4a78
: end

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Statically

‎10-08-2012 11:35 AM

Hello Sam,

Where is the NAT setup??

Anyway, here is what you need

object network local_lan

subnet 10.240.0.0 255.255.255.0

object network remote-lan

subnet 10.240.1.0 255.255.255.0

nat (inside,outside) source static local_lan local_lan destination static remote-lan remote-lan

nat (inside,outside) source dynamic any interface

Any other question..Sure..Just remember to rate all of my helpful answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Statically
Level 1
Level 1
In response to Julio Carvajal

‎10-08-2012 12:25 PM

Hello Julio,

Sorry, I had removed the NAT at the time for testing puposes. I think you may be my new hero. Unfortunately I'm not going to be able to test it for the time being but I think you are certainly on the right lines. I had not set a specific nat entry for the VPN so it was being sent through the dynamic NAT. Excuse when I kept mentioning PAT, I had been doing port redirection all afternoon....

The thing that throws me is, I would not have thought an L2L VPN would need NAT if the networks were connecting to each other, so am a touch confused....

nat (inside,outside) source static local_lan local_lan destination static remote-lan remote-lan

What does the previous command actually do?

Many thanks for your help.

Sam

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Statically

‎10-08-2012 12:27 PM

Hello,

That NAT rule will not NAT the traffic when the source is X ( Local_lan) and Y  is the destination ( Destination_Lan)

So basically we are letting the ASA know, Do not NAT the VPN traffic

Any other question..Sure..Just remember to rate all of my helpful answers

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Statically
Level 1
Level 1
In response to Julio Carvajal

‎10-08-2012 12:59 PM

You are beyond a legend, and no I will not forget, I'm not the type to not appreciate advice.

Thanks once again.

Sam

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Statically

‎10-08-2012 01:43 PM

Hello Sam,

Thanks for all your kind words.

have a great day

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card