cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
0
Helpful
7
Replies
Highlighted

ASA 5505 8.3 vpn with nat

Hi'

Please advice me howto nat-ing vpn traffic.

the goal is that, the internal ip address 192.168.0.101 will 10.104.4.101 at the other end.

what nat command i have to use?

thanks

7 REPLIES 7
Highlighted
Cisco Employee

ASA 5505 8.3 vpn with nat

Assuming that you would like to NAT internal ip of 192.168.0.101 to 10.104.4.101 when trying to access the remote subnet of 172.16.0.0/16

Here is the command:

object network obj-192.168.0.101

     host 192.168.0.101

object network obj-10.104.4.101

     host 10.104.4.101

object network obj-172.16.0.0-16

     subnet 172.16.0.0 255.255.0.0

nat (inside,outside) source static obj-192.168.0.101 obj-10.104.4.101 destination static obj-172.16.0.0-16 obj-172.16.0.0-16

Hope this helps.

Highlighted

Re: ASA 5505 8.3 vpn with nat

Hello!

Sorry for my late!

I tried that you advised, and its seems better.

But something is wrong yet.

Attached the config and a debug txt,

Please give me some instructions, what is wrong!

Thanks!

(in nat debug i find this:

nat: translation - inside:192.168.0.101/1729 to outside:10.104.4.101/1729

but no untranslation line)

Highlighted
Cisco Employee

Re: ASA 5505 8.3 vpn with nat

hi ,

can you please check the crypto Access-list on both sides it should be exactly mirrored , Cz we can see the following error in the  debugs :

Aug 21 23:48:37 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0

thanks .

Highlighted

Re: ASA 5505 8.3 vpn with nat

Hi,

This is the remote end crypto Access-list :

access-list outside_cryptomap_8; 2 elements; name hash: 0x1a88a6c3

access-list outside_cryptomap_8 line 1 extended permit ip object-group DM_INLINE_NETWORK_19 10.104.4.0 255.255.255.0 0x6105a778

access-list outside_cryptomap_8 line 1 extended permit ip SAP_Netz 255.255.255.0 10.104.4.0 255.255.255.0 (hitcnt=25) 0x2567e08a

access-list outside_cryptomap_8 line 1 extended permit ip 10.1.64.0 255.255.255.0 10.104.4.0 255.255.255.0 (hitcnt=4) 0x1d2940ed

and the remote device vpn log:

Highlighted

Re: ASA 5505 8.3 vpn with nat

And this is my config and my crypto ikev1 debug:

Highlighted
Cisco Employee

Re: ASA 5505 8.3 vpn with nat

from the debugs you attached :

Aug 24 01:52:05 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=28405279)

this means that phase 2 is up :

can you share the following after initiating the traffic :

show cry ikev1 sa

show crypto ipsec sa

regards.

Re: ASA 5505 8.3 vpn with nat

this is it:

sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: x.x.x.x

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

Poli-ASA# sh cry ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 10, local addr: x.x.x.x

      access-list jwo_tunnel extended permit ip 10.104.4.0 255.255.255.0 10.1.48                                                                              .0 255.255.255.0

      local ident (addr/mask/prot/port): (10.104.4.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.1.48.0/255.255.255.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0

      path mtu 1492, ipsec overhead 74, media mtu 1500

      current outbound spi: E05EB4F9

      current inbound spi : FB220429

    inbound esp sas:

      spi: 0xFB220429 (4213310505)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 5, }

         slot: 0, conn_id: 880640, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/28776)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xE05EB4F9 (3764303097)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 5, }

         slot: 0, conn_id: 880640, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914999/28776)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

It means that the tunnel is up?

But if i try to ping 10.1.48.95 which is the target host (or telnet some spec ports) no replies come back.

?