04-15-2019 03:51 AM
I’m struggling to get my head around the NATting of this concept.
I need to setup a VPN between a clients ASA (9.2) and a supplier. As the supplier has multiply VPN’s they use only public IP’s in the configuration.
Because I’m using a public IP for the encryption domain that isn’t the IP of the outside interface I’m not sure as to what the ACL for the crypto map should be or how the NAT rule should be configured.
This ASA also runs as an Any Connect end point
Help you be very much appreciated.
My public IP MM.MM.MM.MM
Supplier IP SS.SS.SS.SS
My internal server IP 10.0.0.8
IP I’ve provided as my Encryption Domain MD.MD.MD.MD
Suppliers encryption domain SD.SD.SD.SD/23
Phase 1 Setting
IP SS.SS.SS.SS
Pre shared-key
Encryption AES256
HASH SHA
DH group 2
Phase 2 Setting ESP -SHA-AES256
PFS yes DH gp2
Tunnel need to be Bidirectional
So far I have this for the configuration
object network INTERNAL_IP
host 10.0.0.8
object network SUPPLIER_PEER
host SS.SS.SS.SS
object network SUPPLIER_ENC
subnet SD.SD.SD.SD 255.255.254.0
object network MY_ENC_IP
host MD.MD.MD.MD
access-list OUTSIDE_CRYPTOMAP extended permit IP objectINTERNAL_IP object SUPPLIER_ENC
nat (INSIDE,OUTSIDE) source static INTERNAL_IP MY_ENC_IP destination static SUPPLIER_ENC SUPPLIER_ENC proxy-arp route-lookup
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address OUTSIDE_CRYPTOMAP
crypto map outside_map 1 set peer SS.SS.SS.SS
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 1 set pfs group 2
crypto map outside_map interface OUTSIDE
tunnel-group SS.SS.SS.SS ipsec-attributes
ikev1 pre-shared-key *******
Solved! Go to Solution.
04-15-2019 06:30 AM
It will be configured exactly as if the remote side had private IPs inside the Network.
The NAT is exactly as you mention it. But the Crypto-ACL has to be:
permit ip MD.MD.MD.MD -> SD.SD.SD.SD
The crypto ACL has to protect the traffic as it is seen after the NAT-process.
04-15-2019 06:30 AM
It will be configured exactly as if the remote side had private IPs inside the Network.
The NAT is exactly as you mention it. But the Crypto-ACL has to be:
permit ip MD.MD.MD.MD -> SD.SD.SD.SD
The crypto ACL has to protect the traffic as it is seen after the NAT-process.
04-16-2019 09:30 AM
Thanks I'll try this out tomorrow
04-18-2019 02:09 AM
Can't confirm it's worked yet as when I tried running a ping to get the tunnel up, ping failed no tunnel was made. crypto debug comes back with
'Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch'
so no waiting on the other end to confirm.
04-18-2019 02:15 AM
Sometimes it's better to simulate an allowed packet with packet-tracer. That will also bring up the tunnel if everything is compatible.
05-13-2019 06:07 AM
Just had a call with the supplier at the other end, the config was right the IP addressing for both encryption domain and VPN peer were wrong as I'd been sent the old IP's and not the IP for the new servers.
Once updated all worked.
Thanks
11-24-2021 08:05 AM
Is it possible to have multiple hosts using the same public IP for the encrypted domain or would it be better to use a public IP for each host?
Object-group network INTERNAL_IP
network-object object host 10.0.0.8
network-object object host 10.0.0.7
network-object object host 10.0.0.50
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide