Solved: Re: VPN Configuration using Natting -- require help

sidcracker · ‎08-16-2010

Hello,

The Router VPN has multiple VPNS that are initiated to the customers. The ASA handles the ACLS and Natting part of the VPN and the VPN device handles the policies and encryption/decryption.

For each Site to Site VPN a new pool is assigned on the VPN interface for static natting and PAT. Example for VPN XYZ we would define a new pool 172.16.20.0.

All traffic via the VPN will be first entering the router VPN and then the ASA. All traffic not in the VPN will come directly from the outside interface.

There are two hosts on the inside interface which needs to be access by the remote network of another site.

Am i correct to use the following configuration?

ALL IP ADDRESS and NAMES HAVE BEEN CHANGED

ON THE ASA FIREWALL

========================

***********************************************************************

Allowing the inside host to access the remote host

***********************************************************************

access-list site_to_site_vpn extended permit ip object-group inside_hosts host 192.168.0.100

*************************************

To be natted to 172.16.20.20

*************************************

nat (inside) 100 access-list site_to_site-vpn

global (vpn) 100 172.16.20.20

********************************************************************************************************************************

Allowing the remote host 192.168.0.100 to access the inside hosts which is continuation of the above session

********************************************************************************************************************************

access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts range 700 800
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 234
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 567
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 911
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 2345
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 6456
access-list vpn_to_asa extended permit tcp host 192.168.0.100 object-group inside_hosts eq 543
access-list vpn_to_asa extended permit udp host 192.168.0.100 object-group inside_hosts eq 744

(The access-list is mapped to the VPN interface)

*********************************************************************************************************************

When remote hosts are initiating connection, they will access the static nat to reach the inside hosts

*********************************************************************************************************************

access-list site_to_site_staticnat_1 extended permit ip host 192.168.20.10 host 192.168.0.100
access-list site_to_site_staticnat_2 extended permit ip host 192.168.20.11 host 192.168.0.100

static (inside,vpn) 172.16.20.21 access-list site_to_site_staticnat_1
static (inside,vpn) 172.16.20.22 access-list site_to_site_staticnat_2

ON THE ROUTER VPN

====================

ip access-list extended site_to_site_vpn_cryptomap
permit ip 172.16.20.0 0.0.0.255 192.168.0.100 0.0.0.0

(outside)

----------

|

192.168.20.0 |

inside | 192.168.18.0(VPN)

|--------------------|-------------| |-------------------------------------

------| | | |20.20.20.0

| ASA |-----------------| Router VPN |----------------

|--------------------------------- |------------------------------------|

| |

---------- -------------

192.168.10.0 192.168.12.0 (DMZ1)

(DMZ 2)

Let me know if this configuration is correct..

Thanks for your help in advance

Jennifer Halim · ‎08-16-2010

Correct, that's right.

View solution in original post

Jennifer Halim · ‎08-16-2010

All the configuration looks correct apart from the following:

nat (inside) 100 access-list site_to_site-vpn

global (vpn) 100 172.16.20.20

I am not quite sure what the above is trying to achieve since you already have the static policy NAT configuration.

sidcracker · ‎08-16-2010

Hello,

All I am trying to do is that traffic initiated from the inside will use the PAT address and traffic initiated from the outside will use the static NAT. But in this case if traffic is initiated from inside it will still use the static NAT since static NAT is preferred above the PAT. Am I correct on that? If so then the pat address is not required

Thanks

Jennifer Halim · ‎08-16-2010

Yes, you are absolutely correct. Static policy NAT will take precedence over policy NAT, hence the PAT address becomes redundant unless you require all the other internal ip subnets but 192.168.20.10 and 192.168.20.11 to initiate connection towards 192.168.0.100, then in this case, they will get PATed to 172.16.20.20.

sidcracker · ‎08-16-2010

Thanks for your quick responses.

sidcracker · ‎08-16-2010

Just another clarification.....

The ACLS provided in the configuration should allow traffic from the remote end to access the internal hosts right? I dont need to add any other ACLS even if i remove the nat globals from the configuration?

Thanks

Jennifer Halim · ‎08-16-2010

Correct, that's right.