Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
5
Helpful
5
Replies

ASA to ASA Site2Site VPN with Dynamic NAT in version 8.2

Go to solution
burleyman
Level 8
Level 8

‎02-09-2015 11:41 AM

I have been doing everything for NAT in 9.x and I did not do very much at all with NAT in 8.2 and earlier with this setup.

I have some local subnets:

172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24

that will need to access a remote subnet:

10.31.255.128/25

and the requirement is to NAT the following:

Many to Many NAT requirement.
172.30.1.0/24    NAT to    192.168.104.0/24
172.30.16.0/24    NAT to    192.168.105.0/24
172.30.3.0/24    NAT to    192.168.108.0/24
172.30.12.0/24    NAT to    192.168.106.0/24
172.30.7.0/24    NAT to    192.168.107.0/24
172.30.35.0/24    NAT to    192.168.103.0/24

when going to the 10.31.255.128/25 subnet.

 

Here is what I think I need and I am looking for confirmation and/or help.

*****Group Config ********************

object-group network LOCAL-NATed-NETWORKS
 subnet 192.168.104.0 255.255.255.0
 subnet 192.168.105.0 255.255.255.0
 subnet 192.168.108.0 255.255.255.0
 subnet 192.168.106.0 255.255.255.0
 subnet 192.168.107.0 255.255.255.0
 subnet 192.168.103.0 255.255.255.0

object-group network REMOTE-NETWORK
 subnet 10.31.255.128 255.255.255.128

***ACL for crypto-map****

access-list REMOTE_cryptomap_72 extended permit ip object-group LOCAL-NATed-NETWORKS object-group REMOTE-NETWORK


**** NAT Config *******

nat (inside) 10 172.30.1.0 255.255.255.0
nat (inside) 20 172.30.16.0 255.255.255.0
nat (inside) 30 172.30.3.0 255.255.255.0
nat (inside) 40 172.30.12.0 255.255.255.0
nat (inside) 50 172.30.7.0 255.255.255.0
nat (inside) 60 172.30.35.0 255.255.255.0


global (outside) 10 192.168.104.0 255.255.255.0
global (outside) 20 192.168.105.0 255.255.255.0
global (outside) 30 192.168.108.0 255.255.255.0
global (outside) 40 192.168.106.0 255.255.255.0
global (outside) 50 192.168.107.0 255.255.255.0
global (outside) 60 192.168.103.0 255.255.255.0

 

*****This is setting up the transform-set that is called out in the Crypto map.*****

crypto ipsec ikev1 transform-set REMOTE-SET esp-3des esp-sha-hmac

****This configures the Crypto map.*****

crypto map outside_map 72 match address REMOTE_cryptomap_72
crypto map outside_map 72 set peer 5.5.5.4
crypto map outside_map 72 set ikev1 transform-set REMOTE-SET
crypto map outside_map 72 set reverse-route

*****Sets up IKE******

crypto ikev1 policy 72
 hash sha
 authentication pre-share
 group 2
 lifetime 28800
 encryption 3des

*****Sets up the tunnel group (Connection Profile)*****

tunnel-group 5.5.5.4 type ipsec-l2l
tunnel-group 5.5.5.4 ipsec-attributes
 ikev1 pre-shared-key **TBD*

 

 

Thanks,

Mike

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sean Oskar
Level 1
Level 1
In response to burleyman

‎02-09-2015 02:08 PM

With your existing global statements, my suggestion should fulfill the requirement. Here's some further info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html#wp1088419

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Sean Oskar
Level 1
Level 1

‎02-09-2015 01:09 PM

Try this:

access-list NET1-104 extended permit ip 172.30.1.0 255.255.255.0 10.31.255.128 255.255.255.128

access-list NET16-105 extended permit ip 172.30.16.0 255.255.255.0 10.31.255.128 255.255.255.128

access-list NET3-108 extended permit ip 172.30.3.0 255.255.255.0 10.31.255.128 255.255.255.128

access-list NET12-106 extended permit ip 172.30.12.0 255.255.255.0 10.31.255.128 255.255.255.128

access-list NET7-107 extended permit ip 172.30.7.0 255.255.255.0 10.31.255.128 255.255.255.128

access-list NET35-103 extended permit ip 172.30.35.0 255.255.255.0 10.31.255.128 255.255.255.128

 

nat (inside) 10 access-list NET1-104

nat (inside) 20 access-list NET16-105

nat (inside) 30 access-list NET3-108

nat (inside) 40 access-list NET12-106

nat (inside) 50 access-list NET7-107

nat (inside) 60 access-list NET35-103

 

Go to solution
burleyman
Level 8
Level 8
In response to Sean Oskar

‎02-09-2015 01:26 PM

Thanks for the reply....

 

But I have this requirement.....

and the requirement is to NAT the following:

Many to Many NAT requirement.
172.30.1.0/24    NAT to    192.168.104.0/24
172.30.16.0/24    NAT to    192.168.105.0/24
172.30.3.0/24    NAT to    192.168.108.0/24
172.30.12.0/24    NAT to    192.168.106.0/24
172.30.7.0/24    NAT to    192.168.107.0/24
172.30.35.0/24    NAT to    192.168.103.0/24

when going to the 10.31.255.128/25 subnet.

 

So in other words when I am in the 172.30.1.0 subnet and need to access a server at 10.31.255.130 and I come across the tunnel my IP address needs to translated from the 172.30.1.0 subnet to the 192.168.104.0 subnet and they will route the 192.168.104.X address as needed.

 

Mike

0 Helpful

Go to solution
Sean Oskar
Level 1
Level 1
In response to burleyman

‎02-09-2015 02:08 PM

With your existing global statements, my suggestion should fulfill the requirement. Here's some further info: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html#wp1088419

0 Helpful

Go to solution
burleyman
Level 8
Level 8
In response to Sean Oskar

‎02-10-2015 05:14 AM

Thanks, I read the document and don't I need this as part of the config?

global (outside) 10 192.168.104.0 255.255.255.0
global (outside) 20 192.168.105.0 255.255.255.0
global (outside) 30 192.168.108.0 255.255.255.0
global (outside) 40 192.168.106.0 255.255.255.0
global (outside) 50 192.168.107.0 255.255.255.0
global (outside) 60 192.168.103.0 255.255.255.0

 

Mike

0 Helpful

Go to solution
burleyman
Level 8
Level 8
In response to burleyman

‎02-10-2015 11:43 AM

Here were the requirements

Peer IP Address: 5.5.5.4

Local outside IP Address: 4.4.4.5 /29

IKEv1 setup
Phase 1
Hash Algorithm: SHA1
Authentication Method: Pre-Share Key  KeyGoesHere
Group (DH): 2
Lifetime: 28800
Encryption: 3DES

Phase 2
Hash Algorithm: SHA1
Lifetime: 3600
Encryption: 3DES
PFS: No

Local Subnets:
172.30.1.0/24
172.30.16.0/24
172.30.3.0/24
172.30.12.0/24
172.30.7.0/24
172.30.35.0/24

Remote Subnet:
10.31.255.128/25

Many to Many NAT requirement.
172.30.1.0/24    NAT to    192.168.104.0/24
172.30.16.0/24    NAT to    192.168.105.0/24
172.30.3.0/24    NAT to    192.168.108.0/24
172.30.12.0/24    NAT to    192.168.106.0/24
172.30.7.0/24    NAT to    192.168.107.0/24
172.30.35.0/24    NAT to    192.168.103.0/24

**************************************************************************

Here is the final config I used and tested all good.

***ACL for NAT****

access-list NAT-REMOTE-11 extended permit ip 172.30.1.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-12 extended permit ip 172.30.16.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-13 extended permit ip 172.30.3.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-14 extended permit ip 172.30.12.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-15 extended permit ip 172.30.7.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list NAT-REMOTE-16 extended permit ip 172.30.35.0 255.255.255.0 10.31.255.128 255.255.255.128


***ACL for crypto-map****

access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.104.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.105.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.108.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.106.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.107.0 255.255.255.0 10.31.255.128 255.255.255.128
access-list REMOTE-CRYPTOMAP-17 extended permit ip 192.168.103.0 255.255.255.0 10.31.255.128 255.255.255.128

 

**** NAT Config******

nat (inside) 11 access-list NAT-REMOTE-11
nat (inside) 12 access-list NAT-REMOTE-12
nat (inside) 13 access-list NAT-REMOTE-13
nat (inside) 14 access-list NAT-REMOTE-14
nat (inside) 15 access-list NAT-REMOTE-15
nat (inside) 16 access-list NAT-REMOTE-16


global (outside) 11 192.168.104.10-192.168.104.250 netmask 255.255.255.0
global (outside) 12 192.168.105.10-192.168.105.250 netmask 255.255.255.0
global (outside) 13 192.168.108.10-192.168.108.250 netmask 255.255.255.0
global (outside) 14 192.168.106.10-192.168.106.250 netmask 255.255.255.0
global (outside) 15 192.168.107.10-192.168.107.250 netmask 255.255.255.0
global (outside) 16 192.168.103.10-192.168.103.250 netmask 255.255.255.0


*****This is setting up the transfor-set that is called out in the Crypto map.*****

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

****This configures the Crypto map.*****

crypto map MAP-VPN 72 match address REMOTE-CRYPTOMAP-17
crypto map MAP-VPN 72 set peer 5.5.5.4
crypto map MAP-VPN 72 set transform-set ESP-3DES-SHA
crypto map MAP-VPN 72 set reverse-route

crypto map MAP-VPN interface outside


*****Sets up Phase 1******

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800

*****Sets up the tunnel group (Connection Profile)*****

tunnel-group 5.5.5.4 type ipsec-l2l
tunnel-group 5.5.5.4 ipsec-attributes
 pre-shared-key KeyGoesHere

 

Hope this helps others.

Mike

0 Helpful
Customers Also Viewed These Support Documents