Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1840
Views
0
Helpful
4
Replies

ASA 8.3 NAT L2L Tunnel Help

Go to solution
bradburyh
Level 1
Level 1

‎03-15-2011 01:02 PM

I have read all the posts I could find, every bit of documentation I could find and still can not get my head around how I have to configure this new ASA to meet the requirements.  My customer is bringing up a new Data Center and going to be migrating to this new DC.  They currently have an old PIX-515E running 6.3 at their existing Data Center.  I need to mimic the configuration on a new ASA running 8.3.  I believe I have figured out all the static NAT's etc, but am getting stuck on configuring their two tunnels which they use.  The relevent configuration from the old PIX is pasted below. I did not include the ACL's, etc in entirety as there is a lot of old tunnels, etc which are not migrating.  Only the portions which are relevent to these two tunnels are below.  A lot of the items on the old config also do not make sense and I am not sure what is actually going on.

global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0


static (inside,outside) 172.30.6.65 10.0.0.130 netmask 255.255.255.255 0 0

access-list 100 line 11 permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 (hitcnt=80740)

access-list 100 line 39 permit ip host 10.0.0.130 2.9.37.0 255.255.255.0 (hitcnt=13531)


access-list outside_cryptomap_220 permit ip host 10.0.0.130 2.9.37.0 255.255.255.0
access-list outside_cryptomap_220 permit ip 172.30.6.64 255.255.255.248 2.9.37.0 255.255.255.0


access-list 181 permit ip 10.0.0.0 255.0.0.0 10.0.26.0 255.255.255.0


crypto map gersmap 220 ipsec-isakmp

crypto map gersmap 220 match address outside_cryptomap_220    

crypto map gersmap 220 set peer 64.87.28.38

crypto map gersmap 220 set transform-set 3DES-SHA



crypto map gersmap 241 ipsec-isakmp

crypto map gersmap 241 match address 181              

crypto map gersmap 241 set peer 74.238.28.7

crypto map gersmap 241 set transform-set dblsecure3


crypto map gersmap interface outside

isakmp enable outside

The following is some configuration information which has been sent to the customer from the remote company.

Fort-ASA01# sh crypto ipsec sa peer FLOO1

peer address: FLOO1

    Crypto map tag: toVPNClients, seq num: 17, local addr: 64.87.28.38

      access-list floo1 extended permit ip 2.9.37.0 255.255.255.0 172.30.6.64 255.255.255.248

      local ident (addr/mask/prot/port): (2.9.37.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (172.30.6.64/255.255.255.248/0/0)

      current_peer: FLOO1

Thanks for any assistance in getting this set-up correctly

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to bradburyh

‎03-16-2011 06:47 PM

You are absolutely spot on.

That is the correct NAT statement, ie: 10.0.0.130 will only be NATed to 172.30.6.65 when destination is 2.9.37.0/24.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
bradburyh
Level 1
Level 1

‎03-15-2011 02:48 PM

Here is what I have so far to mimic the static nat's which are in place currently.

object network E1_Database_Fortitude
host 172.30.6.65
description E1 Database for Fortitude Backup Outside
object network E1_Database_Inside
host 10.0.253.130
description Inside E1 Database IP

nat (inside,outside) source static E1_Database_Inside E1_Database_Fortitude

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to bradburyh

‎03-15-2011 07:26 PM

The nonat (NAT 0 with ACL) for the following 2 crypto ACLs:

access-list outside_cryptomap_220 permit ip host 10.0.0.130 2.9.37.0 255.255.255.0
access-list outside_cryptomap_220 permit ip 172.30.6.64 255.255.255.248 2.9.37.0 255.255.255.0

should be:

object network obj-10.0.0.130

     host 10.0.0.130

object network obj-2.9.37.0

     subnet 2.9.37.0 255.255.255.0

object network obj-172.30.6.64_29

     subnet 172.30.6.64 255.255.255.248


nat (inside,outside) source static obj-10.0.0.130 obj-10.0.0.130 destination static obj-2.9.37.0 obj-2.9.37.0

nat (inside,outside) source static obj-172.30.6.64_29 obj-172.30.6.64_29 destination static obj-2.9.37.0 obj-2.9.37.0

Hope that helps.

0 Helpful

Go to solution
bradburyh
Level 1
Level 1
In response to Jennifer Halim

‎03-16-2011 06:13 AM

Thanks Jennifer.  That does help clear up the format a little.  I am still trying to sort out what is going on in their existing ASA, so I am not positive that is exactly what is needed, but it does clarify the format for me.  From what the customer states his understanding is that when they are talking across the tunnel to the 2.9.37.0 network the 10.0.0.130 device should NAT to 172.30.6.65.  When it is going out the internet pipe and not through the tunnel it should use the normal PAT.  So I think I need something like this.

object network obj-10.0.0.130

     host 10.0.0.130

object network obj-2.9.37.0

     subnet 2.9.37.0 255.255.255.0

object network obj-172.30.6.65

     host 172.30.6.65

nat (inside,outside) source static obj-10.0.0.130 obj-172.30.6.65 destination static obj-2.9.37.0 obj-2.9.37.0

If I am understanding this correctly it will only use that static nat statement when going to the 2.9.37.0/24 network.  I think a lot of it will come down to figuring out what is really going on when they move the tunnel over from the existing PIX to the ASA.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to bradburyh

‎03-16-2011 06:47 PM

You are absolutely spot on.

That is the correct NAT statement, ie: 10.0.0.130 will only be NATed to 172.30.6.65 when destination is 2.9.37.0/24.

0 Helpful
Customers Also Viewed These Support Documents