Site to Site vpn with ipsec

rouzbehta · ‎02-01-2011

Hello all,

I have 2 ASA 5520, in 2 different sites and I am going to stablish site to site vpn with ipsec.

I would like to allow all traffic be transmited trhough this tunel and also all subnets in each site can have internet acceess with NAT.

Can this be done together? if not what is the solution for this issue? I know that ipsec doesn't work with NAT and the traffic needs to be excluded from NAT

Then how the traffic can have access to Internet? can this be done together? if not ehat is the solution for this issue?

Regards,

-Rouzbeh

cadet alain · ‎02-02-2011

Hi,

Then how the traffic can have access to Internet? can this be done together? if not ehat is the solution for this issue?

This can't be done together, you can't NAT and NOT NAT the same subnet at the same time.

I think this is impossible with an ASA because as far as I know you can't have 2 outside interfaces.

With a router you could VPN on one link and not VPN on another link but again not for the same traffic flow.

But if you want only http/https not going into VPN and everything else into then this is possible using NAT 0 feature, you exempt some traffic

from nat and then you permit this same traffic in your crypto ACL.

Regards.

Alain.

Don't forget to rate helpful posts.

Niels van der Made · ‎02-02-2011

If you want to direct traffic from site 1 to site 2 and in reverse, just build a tunnel access-list wich permits traffic between both subnets
Then create a nat0 statement to deny nat trough the tunnel.

Example:

ASA1

global (outside) 1 interface

access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0

nat (inside) 1 192.168.2.0 255.255.255.0

ASA2:

global (outside) 1 interface

access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0

nat (inside) 1 192.168.1.0 255.255.255.0

This way internet traffic wil match on the default nat for example en wil be directed to the world wide web

ciscona728 · ‎02-02-2011

Niels is correct but dont forget the following

Example:

crypto ipsec transform-set My_Tset esp-3des esp-sha-hmac

crypto map outside_map 10 match address 100
crypto map outside_map 10 set peer {Outside IP}
crypto map outside_map 10 set transform-set My_Tset
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group {Outside IP} type ipsec-l2l
tunnel-group {Outside IP} ipsec-attributes
pre-shared-key {key}

show crypto isakmp sa
show crypto ipsec sa

Niels van der Made · ‎02-02-2011

@ciscona728

Correct, but i assumed he already had an VPN config and was only having trouble with the nat/no nat part

rouzbehta · ‎02-02-2011

Thank you for answer, but I confused a bit, is this way let me to have access to internet along with site to site vpn with same subnet?

Thanks, again

-Rouzbeh

Niels van der Made · ‎02-02-2011

That's right.

With the nat 0 statement you have to deny nat between the subnets of site 1 and 2.

And in the above examples the nat (inside) 192.168.1.0 255.255.255.0 wil nat traffic to the outside interface (wich in this case is internet)

rouzbehta · ‎02-02-2011

Cool, am I right on the configuration below? basically are different subnets all need access to Internet and some of them site to site vpn, I will add the neccessary configuration if you would please approve that this is ok

I really appreciate your help,

Thanks,

-Rouzbeh

interface GigabitEthernet0/0
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet0/1
description ***LAN***
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.4
description ***Polycom CoIP***
vlan 4
nameif inside4
security-level 100
ip address 10.10.52.1 255.255.255.0
!
interface GigabitEthernet0/1.5
description ***VoIP***
vlan 5
nameif inside5
security-level 100
ip address 10.10.59.1 255.255.255.0
!
interface GigabitEthernet0/1.8
description ***Office LAN***
vlan 8
nameif inside8
security-level 100
ip address 10.10.60.1 255.255.255.0
!
interface GigabitEthernet0/1.9
description ***email***
vlan 9
nameif inside9
security-level 100
ip address 10.10.61.1 255.255.255.0
!
interface GigabitEthernet0/1.801
description ***Management***
vlan 801
nameif inside801
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface GigabitEthernet0/1.802
description ***Access-Cameras***
vlan 802
nameif inside802
security-level 100
ip address 10.10.48.1 255.255.255.0
!
interface GigabitEthernet0/1.803
description ***Colubris-WiFi***
vlan 803
nameif inside803
security-level 100
ip address 10.10.51.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.31.115.100 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns server-group 66.128.93.24
object-group network yourlink-inside-net
object-group network Yourlink-inside-net
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside4 1500
mtu inside5 1500
mtu inside8 1500
mtu inside9 1500
mtu inside801 1500
mtu inside802 1500
mtu inside803 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 66.128.95.242 netmask 255.255.255.252
nat (inside4) 1 10.10.52.0 255.255.255.0
nat (inside5) 1 10.10.59.0 255.255.255.0
nat (inside8) 1 10.10.60.0 255.255.255.0
nat (inside9) 1 10.10.61.0 255.255.255.0
nat (inside801) 1 10.10.50.0 255.255.255.0
nat (inside802) 1 10.10.48.0 255.255.255.0
nat (inside803) 1 10.10.51.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 66.128.95.241 1

Niels van der Made · ‎02-03-2011

Looks ok, execpt you're missing an IP address on the outside interface (i assume 66.128.95.241/30 .)

Anyway.

Depending on wich subnets you want to allow trough the site2siteVPN your nat config for vpn on site1 could look like this:

access-list inside4_outbound_nat0 permit ip 10.10.52.0 255.255.255.0

access-list inside5_outbound_nat0 permit ip 10.10.59.0 255.255.255.0

access-list inside9_outbound_nat0 permit ip 10.10.61.0 255.255.255.0

nat (inside4) 0 access-list inside4_outbound_nat0

nat (inside5) 0 access-list inside5_outbound_nat0

nat (inside9) 0 access-list inside9_outbound_nat0

This way the VPN traffic will not be translated to the given site2 subnet.

And traffic from the same subnet to the internet wil be translated to the outside IP because of your other nat statements

nat (inside4) 1 10.10.52.0 255.255.255.0
nat (inside5) 1 10.10.59.0 255.255.255.0
nat (inside9) 1 10.10.61.0 255.255.255.0

global (outside) 1 66.128.95.242 netmask 255.255.255.252