Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1358
Views
5
Helpful
1
Replies

Problems with VPN and NAT in ASA5520 8.3

nachete1979
Level 1
Level 1

‎09-28-2010 05:02 PM - edited ‎03-11-2019 11:46 AM

Hi there!,

I am trying to configure an ASA 5520 with 8.3 software and i have to configure a VPN IPSec site-to-site. Trying to capture the packets i see coming the ingress interface but not coming out. So the VPN is not coming up and NAT seems not to work.

This is the configuration i have (without IPs):

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.122 255.255.255.248 

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address y.y.y.y 255.255.255.0 
!
!

object network NETWORK_OBJ_x.x.x.x
 subnet x.x.x.0 255.255.255.0
object network kpn1 
 host d.d.d.d
object network kpn2 
 host a.a.a.a

object network Peer_KPN 
 host p.p.p.p
object-group network KPN
 description Lan remota KPN
 network-object object kpn1
 network-object object kpn2
object-group service DM_INLINE_UDP_1 udp
 port-object eq isakmp
 port-object eq secureid-udp
access-list outside_1_cryptomap extended permit ip object NETWORK_OBJ_x.x.x.x object-group KPN 
access-list outside_access_in extended permit udp object Peer_KPN any object-group DM_INLINE_UDP_1 
access-list inside_access_in extended permit ip any any

!

!

nat (inside,outside) source dynamic NETWORK_OBJ_x.x.x.x interface
nat (inside,outside) source static NETWORK_OBJ_x.x.x.x  destination static KPN 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.121 1

!

!

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer p.p.p.p 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

!

!

tunnel-group p.p.p.p  type ipsec-l2l
tunnel-group p.p.p.p ipsec-attributes
 pre-shared-key *****

!
!
I hope this will help.
Thanks!!!!

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-28-2010 07:07 PM

The following static NAT should be changed:

From:

nat (inside,outside) source static NETWORK_OBJ_x.x.x.x  destination static KPN

To:
nat (inside,outside) source static NETWORK_OBJ_x.x.x.x NETWORK_OBJ_x.x.x.x destination static KPN KPN

Then a "clear xlate" after the changes above.

Assuming that you are trying to trigger traffic from x.x.x.0/24 network towards either d.d.d.d or a.a.a.a

Hope that helps.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card