10-03-2013 02:04 PM - edited 03-11-2019 07:47 PM
Hi All,
I Have a cisco asa 5510 configured as a gateway for my network, the problem is that i want to create a new subnet for my network and i have a PVN Tunnel estalished to the Headquarters, the objectif is to create a subnet and nat it to the already configured subnet throw the tunnel, is this possible, timm now i m able to create a subnet and make go to the internet but i have tried a lot to make it go through the tunnel but its not working, have any one faced a such problem before !!
thanks for your help,
Cordially
10-03-2013 05:17 PM
Hello,
It really depends on the type of tunnel that you have. I am assuming that you have an IPsec Tunnel, however, this would require changes on both devices, the headend device (the ones that terminates the tunnel on the HQ and the one locally).
Mainly there should be a crypto ACL in which you need to add the new subnet, and on the headend, there should be the same ACL, but mirrored, and what you need to do is to configure the new statement on that ACL. Something like this:
Your end:
accesss-list crypto permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0
On the other end:
access-list crypto permit ip y.y.y.y 255.255.255.0 x.x.x.x 255.255.255.0
Of course this ACL is tied to a crypto map that contains the parameters to ecrypt the traffic and so on, your job is to find that ACL and add the missing statement.
Mike
10-04-2013 02:13 AM
Thanks for your reply, The problem is that i want to configure on only one side of the tunnel, my side, and yes you are right its an IPSEC tunnel, is there a way to do this !!
10-04-2013 02:19 AM
Hi,
So are you saying that you have one existing subnet on your LAN and you have added another subnet on your LAN? And this new subnet should be able to use the existing L2L VPN while using the original subnets address space?
You should be able for example pick out some free/unused IP address in the original subnet (configured on the L2L VPN as your source) and configure a Dynamic Policy PAT for your new subnets users when they are connecting to the remote networks behind the L2L VPN. This way they would be PATed to the IP address that is part of the current L2L VPN configurations and their traffic should be tunneled to the L2L VPN just fine.
Naturally as we are talking about a PAT translation this would only enable your side initiating connections to the central site and NOT vice versa. For the central site to be able to connect to your site you would have to configure Static Policy NAT for the hosts that need to be contacted from the central site.
The best practise would be to modify the L2L VPN Crypto ACLs rather than create special configurations. Naturally the special configurations mentioned above negate the need to modify the VPN configurations which usually people choose when they are forced to use them.
We cant really provide you with exact NAT configurations needed as we have no idea of your ASA software level not to mention its current L2L VPN, interface and NAT configurations (and possible ACL/object configurations related to the before mentioned configurations)
- Jouni
10-04-2013 02:27 AM
Hi Again, Well its seems logic to me, doing PAT on my site and static nat on the other side, is that what you mean !!
Well i have an ASA 5510 8.2(2) managed by asdm 6.3(1),
My need is to have configuration on only my side.
Thanks alot
10-04-2013 02:37 AM
Hi,
I would imagine that currently you have NAT0 configured on both of the sites.
If your aim is to add a new subnet with the help of Dynamic Policy PAT to the existing L2L VPN without touching any L2L VPN related configurations on either your side or the central site then it should be possible.
As I said, you have to choose an IP address from the existing subnet that is configured on the L2L VPN on your side. Choose an IP address that is not in use on any host or network device and dedicate it for this Dynamic Policy PAT use only just to be on the safe side.
Then you could start building the Dynamic Policy NAT rule
You still didnt mention your actual networks, interfaces and configurations at the moment so I will have to give you an example configuration using made up networks
access-list L2LVPN-POLICY-PAT remark Dynamic Policy PAT rule for new subnet
access-list L2LVPN-POLICY-PAT permit ip 172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0
global (outside) 254 10.10.10.254
nat (inside) 254 access-list L2LVPN-POLICY-PAT
The above configuration would tell the ASA the following
I have to say again that without seeing your current configurations its impossible for me to take everything into consideration.
This should work however as I have suggested the same approach for others too posting here on the CSC.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-05-2013 03:41 PM
Hi Jouni,
I have been making a lab for this configuration using GNS3, well i made a VPN Tunnel between Two CISCO ASA 5510 (Pink OK, Tunnel is UP), then i made a new subnet, configured routing and NAT for the new Subnet, Tests Locally are OK, and the i tried to NAT the New Subnet as you mentionned before, but i can't figure out whats wrong with my configuration, it seems that there someting missing, well here's a summary of the LAB
Site 1 : Privare Adresse 10.241.105.0/25 Private New Subnet 172.20.50.0/24
Site B Private Adress 192.168.1.0/24
Tunnel IS UP
What i have done is that i added the new subnet 172.20.50.0/24 to the VPN Tunnel For Both sides, and then i used Packet Tracer to figure out that packets from 172.20.50.0/24 are being translated to the outside Interface, and not going thought the Tunnel, So I Add a NAT Exempt Rule on both sides two Ouups Every Thing is OKK, Good news Right
But thats not what i m looking for !!!
I will be parsing the two network configaration and i m looking for a way to post an image, i can't figure out a way to do that in the forum (feeling like stupid ) i hope tp find it,
here's my mail address jihed.neji@gmail.com would you please mail me the right configuration, this is very important for me since its a challenge i have to take in order to join an IT Leading Team in my corporation (Level 3 Support) My dream since 3 years.
###############################################################################################
Cisco ASA 5510 Site 1
: Saved
: Written by enable_15 at 00:33:55.172 UTC Tue Nov 30 1999
!
ASA Version 8.0(2)
!
hostname ASA1
domain-name jihed.com
enable password TyjfM4B9RGk0QSqu encrypted
names
!
interface Ethernet0/0
description ### Connected to LAN ###
nameif inside
security-level 100
ip address 10.241.105.1 255.255.255.128
!
interface Ethernet0/1
description ### Connected to Outside LAN VPN Tunnel ###
nameif outside
security-level 0
ip address 41.224.46.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome Admin Have a Nice Day
banner login Welcome Admin Have a Nice Day
banner motd Welcome Admin Have a Nice Day
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name jihed.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.241.105.0 255.255.255.128
network-object 172.20.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat_outbound extended permit ip 10.241.105.0 255.255.255.128 any
access-list 197.22.47.2_splitTunnelAcl standard permit 10.241.105.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 10.241.105.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.241.105.0 255.255.255.128 172.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 41.224.46.2_splitTunnelAcl standard permit 10.241.105.0 255.255.255.128
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
no logging message 402128
mtu inside 1500
mtu outside 1500
ip local pool Remote_Access 10.241.105.6-10.241.105.10 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 10.241.105.12 netmask 255.255.255.128
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 10.241.105.0 255.255.255.128
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 41.224.46.1 1
route inside 172.20.50.0 255.255.255.0 10.241.105.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.241.105.0 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 197.22.47.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.241.105.0 255.255.255.128 inside
telnet timeout 1440
ssh 10.241.105.0 255.255.255.128 inside
ssh 172.10.1.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
group-policy 41.224.46.2 internal
group-policy 41.224.46.2 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 41.224.46.2_splitTunnelAcl
default-domain value jihedlab.com
group-policy 41.224.46.2_1 internal
group-policy 41.224.46.2_1 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
default-domain value jihed.com
group-policy 197.22.47.2 internal
group-policy 197.22.47.2 attributes
wins-server value 8.8.8.8 8.8.8.8
dns-server value 8.8.8.8 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 197.22.47.2_splitTunnelAcl
default-domain value jihed.com
username jihed password gUiCqYVlWOugRmug encrypted privilege 15
username jneji password Ae.gIIaVTgmxpFgx encrypted privilege 0
username jneji attributes
vpn-group-policy 197.22.47.2
tunnel-group 41.224.46.2 type remote-access
tunnel-group 41.224.46.2 general-attributes
address-pool Remote_Access
default-group-policy 41.224.46.2_1
tunnel-group 41.224.46.2 ipsec-attributes
pre-shared-key jihed
tunnel-group 197.22.47.2 type ipsec-l2l
tunnel-group 197.22.47.2 ipsec-attributes
pre-shared-key jihed
prompt hostname context
Cryptochecksum:27224fc34af0663282057f5cd4f7e932
: end
################################################################################################
Cisco ASA 5510 Site 2
: Saved
: Written by enable_15 at 01:53:32.677 UTC Tue Nov 30 1999
!
ASA Version 8.0(2)
!
hostname ASA2
domain-name jihed.com
enable password TyjfM4B9RGk0QSqu encrypted
names
!
interface Ethernet0/0
description ### Connected to LAN ###
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
description ### Connected to Outisde Interface VPN Tunnel ###
nameif outside
security-level 0
ip address 197.22.47.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome Admin Have a Nice Day
banner login Welcome Admin Have a Nice Day
banner motd Welcome Admin Have a Nice Day
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name jihed.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.241.105.0 255.255.255.128
network-object 172.20.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.20.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.241.105.0 255.255.255.128
pager lines 24
logging enable
logging asdm informational
no logging message 402128
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 197.22.47.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 41.224.46.2
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 1440
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
username jihed password gUiCqYVlWOugRmug encrypted privilege 15
tunnel-group 41.224.46.2 type ipsec-l2l
tunnel-group 41.224.46.2 ipsec-attributes
pre-shared-key jihed
prompt hostname context
Cryptochecksum:4db675e1167a33bf5d9dfae0c74da193
: end
##################################################################################################
Thanks a lot
10-05-2013 05:08 PM
Hi,
Initially you said that you wanted to configure so that only the configurations on one site would be changed because you were adding a new network and didnt want to touch the L2L VPN settings or settings on the central site?
However your above configurations dont in any way reflect that situation,
So I would suggest reverting your configurations of the ASAs to the original setup where you only have a single network configured on the L2L VPN between the sites and then use the Dynamic Policy PAT on the other sites as the only configuration to enable it to be tunneled to the L2L VPN.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide