Solved: Re: VPN using public IP’s as encryption domain

paulwtownsend · ‎04-15-2019

I’m struggling to get my head around the NATting of this concept.

I need to setup a VPN between a clients ASA (9.2) and a supplier. As the supplier has multiply VPN’s they use only public IP’s in the configuration.

Because I’m using a public IP for the encryption domain that isn’t the IP of the outside interface I’m not sure as to what the ACL for the crypto map should be or how the NAT rule should be configured.

This ASA also runs as an Any Connect end point

Help you be very much appreciated.

My public IP MM.MM.MM.MM

Supplier IP SS.SS.SS.SS

My internal server IP 10.0.0.8

IP I’ve provided as my Encryption Domain MD.MD.MD.MD

Suppliers encryption domain SD.SD.SD.SD/23

Phase 1 Setting

IP SS.SS.SS.SS

Pre shared-key

Encryption AES256

HASH SHA

DH group 2

Phase 2 Setting ESP -SHA-AES256

PFS yes DH gp2

Tunnel need to be Bidirectional

So far I have this for the configuration

object network INTERNAL_IP

host 10.0.0.8

object network SUPPLIER_PEER

host SS.SS.SS.SS

object network SUPPLIER_ENC

subnet SD.SD.SD.SD 255.255.254.0

object network MY_ENC_IP

host MD.MD.MD.MD

access-list OUTSIDE_CRYPTOMAP extended permit IP objectINTERNAL_IP object SUPPLIER_ENC

nat (INSIDE,OUTSIDE) source static INTERNAL_IP MY_ENC_IP destination static SUPPLIER_ENC SUPPLIER_ENC proxy-arp route-lookup

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address OUTSIDE_CRYPTOMAP

crypto map outside_map 1 set peer SS.SS.SS.SS

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA

crypto map outside_map 1 set pfs group 2

crypto map outside_map interface OUTSIDE

tunnel-group SS.SS.SS.SS ipsec-attributes

ikev1 pre-shared-key *******

Karsten Iwen · ‎04-15-2019

It will be configured exactly as if the remote side had private IPs inside the Network.

The NAT is exactly as you mention it. But the Crypto-ACL has to be:

permit ip MD.MD.MD.MD -> SD.SD.SD.SD

The crypto ACL has to protect the traffic as it is seen after the NAT-process.

View solution in original post

Karsten Iwen · ‎04-15-2019

It will be configured exactly as if the remote side had private IPs inside the Network.

The NAT is exactly as you mention it. But the Crypto-ACL has to be:

permit ip MD.MD.MD.MD -> SD.SD.SD.SD

The crypto ACL has to protect the traffic as it is seen after the NAT-process.

paulwtownsend · ‎04-16-2019

Thanks I'll try this out tomorrow

paulwtownsend · ‎04-18-2019

Can't confirm it's worked yet as when I tried running a ping to get the tunnel up, ping failed no tunnel was made. crypto debug comes back with

'Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch'

so no waiting on the other end to confirm.

Karsten Iwen · ‎04-18-2019

Sometimes it's better to simulate an allowed packet with packet-tracer. That will also bring up the tunnel if everything is compatible.

paulwtownsend · ‎05-13-2019

Just had a call with the supplier at the other end, the config was right the IP addressing for both encryption domain and VPN peer were wrong as I'd been sent the old IP's and not the IP for the new servers.

Once updated all worked.

Thanks

chanlon@rpesolutions.com · ‎11-24-2021

Is it possible to have multiple hosts using the same public IP for the encrypted domain or would it be better to use a public IP for each host?

Object-group network INTERNAL_IP

network-object object host 10.0.0.8

network-object object host 10.0.0.7

network-object object host 10.0.0.50