05-01-2020 09:37 PM
Hi Everyone,
We have Cisco ASA 5520 configured for remote VPN where users running windows laptop use vpn client software to connect to
the company network.
Now for new project I need to config site to site IPSEC tunnel for vendor to connect to our network.
For this I need to use the ASA outside interface.
Need to know if i config ASA outside interface for site to site ipsec will it cause any issues with ASA config for Remote VPN users?
Any issues will it cause to Remote VPN connections?
Regards
Mahesh
Solved! Go to Solution.
05-02-2020 03:18 PM
yes correct. here is the sample configuration.
crypto isakmp enable outside ! crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! tunnel-group 8.8.8.8 type ipsec-l2l tunnel-group 8.8.8.8 ipsec-attributes pre-shared-key superman ! access-list 100 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248 ! crypto ipsec transform-set myset esp-aes esp-sha-hmac ! crypto map outside_map 10 set peer 8.8.8.8 crypto map outside_map 10 match address 100 crypto map outside_map 10 set transform-set myset crypto map outside_map 10 set pfs crypto map outside_map interface outside ! group-policy SITE_A internal vpn-tunnel-protocol ipsec ! group-policy SITE_A attributes vpn-idle-timeout none ! tunnel-group 8.8.8.8 general-attributes default-group-policy SITE_A ! NAT Exemption access list that defines the traffic to be exempted from the NAT checks. In this version, it appears similar to the access list that you defined for the traffic of interest: ! access-list nonat line 1 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248 ! The access list is used with the NAT, as shown here: ! nat (inside) 0 access-list nonat ! Note: The inside here refers to the name of the inside interface on which the ASA receives the traffic that matches the access list.
05-02-2020 12:18 AM
05-02-2020 10:54 AM
This will work fine. I do this all the time. What you do is NAT your interesting traffic to your interface IP with destination of the remote side of the VPN, then configure your site to site VPN with the public IP of your ASA.
NAT example:
object network LOCAL-LAN
subnet 10.1.1.0 255.255.255.0
object network REMOTE-LAN
subnet 11.1.1.0 255.255.255.0
nat (inside,outside) source dynamic LOCAL-LAN interface destination static REMOTE-LAN REMOTE-LAN
05-02-2020 01:02 PM
Hi Marius,
Happy to see reply from you.
We are running old code
Cisco Adaptive Security Appliance Software Version 8.2(5)59
Device Manager Version 6.4(9)
What we want is that inside traffic subnet 10.96.96.0/24 going to vendor network can access the 10.70.160.0/29 network.
This is Private network connection that goes via our ISP and it is using 172.24.x.x and 10.x.x.x network.
Outside Interface IP is 10.61.10.20.
We do not want any NAT.
So this NAT config is good
static (inside,outside) 10.96.96.0 10.96.96.0 netmask 255.255.255.0
crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.010.71.160.0 255.255.255.248
tunnel-group 172.24.32.115 type ipsec-l2l
tunnel-group 172.24.32.115 ipsec-attributes
pre-shared-key XXXXXXXXXX
crypto map L2L 1 match address LAN_Traffic crypto map L2L 1 set peer 172.24.32.115 crypto map L2L 1 set transform-set L2L
crypto map L2L interface outside
IS this config good.
Please check?
And security policy will allow any traffic from 10.96.96.x to 10.70.160.x right?
Also I need security policy to allow traffic from vendor to our network if vendor ping from subnet 10.70.160.0 to 10.96.96.2 right?
05-02-2020 01:45 PM - edited 05-02-2020 01:58 PM
Yes configuration looks good. however you running old software which is EOL so consider doing upgrade. here document mentioned how to setup a site to site vpn version 8.0.
you configuration for nat will be like this
nat (inside) 0 access-list inside_nat0_outbound ! access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 remote 255.255.255.0
And security policy will allow any traffic from 10.96.96.x to 10.70.160.x right?
correct.
Also I need security policy to allow traffic from vendor to our network if vendor ping from subnet 10.70.160.0 to 10.96.96.2 right?
correct
05-02-2020 02:04 PM
Need to confirm that NAT config below is correct
Also this NAT will only apply to the below NAT config right?
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248
05-02-2020 03:18 PM
yes correct. here is the sample configuration.
crypto isakmp enable outside ! crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! tunnel-group 8.8.8.8 type ipsec-l2l tunnel-group 8.8.8.8 ipsec-attributes pre-shared-key superman ! access-list 100 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248 ! crypto ipsec transform-set myset esp-aes esp-sha-hmac ! crypto map outside_map 10 set peer 8.8.8.8 crypto map outside_map 10 match address 100 crypto map outside_map 10 set transform-set myset crypto map outside_map 10 set pfs crypto map outside_map interface outside ! group-policy SITE_A internal vpn-tunnel-protocol ipsec ! group-policy SITE_A attributes vpn-idle-timeout none ! tunnel-group 8.8.8.8 general-attributes default-group-policy SITE_A ! NAT Exemption access list that defines the traffic to be exempted from the NAT checks. In this version, it appears similar to the access list that you defined for the traffic of interest: ! access-list nonat line 1 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248 ! The access list is used with the NAT, as shown here: ! nat (inside) 0 access-list nonat ! Note: The inside here refers to the name of the inside interface on which the ASA receives the traffic that matches the access list.
05-02-2020 03:35 PM
Hi Sheraz,
Many thanks for answering all the questions.
Regards
Mahesh
05-05-2020 10:12 AM
Seems one thing need too confirm as we want to allow traffic which is initiated from outside to inside like below
access-list outside_acl extended permit tcp host 10.70.160.2 10.96.96.0 255.255.255.0 eq 554 log
access-list outside_acl extended permit tcp host 10.70.160.3 10.96.96.0 255.255.255.0 eq 554 log
Also for inside interface i have below acl already configured say
access-list inside_acl extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 80 log
access-list inside_acl extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 80 log
so in crypto map how i will refer which name i need to refer to?
do i need to create new acl and name it say nonat and config the above acl there?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: