01-13-2015 02:32 PM
Hello Cisco Community,
I hope you can provide me your feedback and comments. :)
I´m in a middle of a pre-implementation with a Cisco ASA5505 and Cisco800, creating a site to site VPN, now I´m having some issues in order to separate traffic (VPN traffic and NAT traffic) in ASA5505. Following you can find the current topology:
Local LAN (192.168.1.0/24, 10.10.12.0/24, 192.168.20.254) **ASA5505** >>>>>>Simulating WAN 192.168.100.0/24<<<<<<<**Cisco800** Local LAN (192.168.3.0/24, 192.168.4.0/24)
After review the Cisco documentation, I´ve not found any document that explains how to créate Object Group NAT configuration and how to separate NAT traffic with object-groups and VPN traffic with object group (this configuration is for multiple local and remote networks.).
The following is the current configuration in both devices ASA and Cisco 800:
ASA5505 Configuration:
ASA5505C# SH RUN
: Saved
:
: Serial Number: JMX1811Z0G2
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname ASA5505C
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
names
!
interface Ethernet0/0
switchport trunk allowed vlan 1,20
switchport mode trunk
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address dhcp
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.1 255.255.255.0
!
boot system disk0:/asa923-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-local1
subnet 192.168.1.0 255.255.255.0
object network obj-local2
subnet 192.168.20.0 255.255.255.0
object network obj-local3
subnet 10.10.12.0 255.255.255.0
object network remote1
subnet 192.168.3.0 255.255.255.0
object network remote2
subnet 192.168.4.0 255.255.255.0
object network internal-lan1
subnet 192.168.1.0 255.255.255.0
object network internal-lan2
subnet 192.168.20.0 255.255.255.0
object network internal-lan3
subnet 10.10.12.0 255.255.255.0
object network internal1
subnet 192.168.1.0 255.255.255.0
object network internal2
subnet 192.168.20.0 255.255.255.0
object network internal3
subnet 10.10.12.0 255.255.255.0
object network WAN
host 192.168.100.1
object-group network LOCAL
network-object object obj-local1
network-object object obj-local2
network-object object obj-local3
object-group network REMOTE
network-object object remote1
network-object object remote2
object-group network INTERNAL
network-object object internal1
network-object object internal2
network-object object internal3
access-list 100 extended permit ip any any
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 121 extended permit ip 192.168.20.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 121 extended permit ip 192.168.20.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 121 extended permit ip 10.10.12.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 121 extended permit ip 10.10.12.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-732.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static WAN interface
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE
access-group 100 in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.1.254 1
route inside 10.10.12.0 255.255.255.0 192.168.1.254 1
route outside 192.168.3.0 255.255.255.0 192.168.100.2 1
route outside 192.168.4.0 255.255.255.0 192.168.100.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set FirstStep esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map TME 1 match address 121
crypto map TME 1 set peer 192.168.100.2
crypto map TME 1 set ikev1 transform-set FirstStep
crypto map TME 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TME interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
anyconnect-essentials
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 192.168.100.2 type ipsec-l2l
tunnel-group 192.168.100.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:abf780eba2e66207e621ad45c23750b8
: end
ASA5505C#
ASA5505C# sh crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.100.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Cisco 800 Configuration:
harlie_Cisco877#sh run
Building configuration...
Current configuration : 3298 bytes
!
! Last configuration change at 14:29:12 UTC Tue Jan 13 2015
! NVRAM config last updated at 14:28:27 UTC Tue Jan 13 2015
! NVRAM config last updated at 14:28:27 UTC Tue Jan 13 2015
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Charlie_Cisco877
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.151-4.M9.bin
boot-end-marker
!
!
logging buffered 4096 informational
logging console informational
!
no aaa new-model
!
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 43200
crypto isakmp key cisco123 address 192.168.100.1
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 1 ipsec-isakmp
! Incomplete
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.100.1
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
interface Loopback0
ip address 192.168.4.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.100.2 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly in
crypto map CMAP
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface Vlan2 overload
ip route 10.10.12.0 255.255.255.0 192.168.100.1
ip route 192.168.1.0 255.255.255.0 Vlan2
ip route 192.168.20.0 255.255.255.0 Vlan2
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 10.10.12.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 10.10.12.0 0.0.0.255
!
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 10.10.12.0 0.0.0.255
access-list 100 deny ip 192.168.4.0 0.0.0.255 10.10.12.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit udp host 192.168.100.1 host 192.168.100.2 eq isakmp
access-list 101 permit icmp any any
access-list 101 permit esp host 192.168.100.1 host 192.168.100.2
access-list 101 permit ip any any log
access-list 101 deny ip any any log
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Charlie_Cisco877#
Charlie_Cisco877#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.100.1 192.168.100.2 QM_IDLE 2006 ACTIVE
IPv6 Crypto ISAKMP SA
Hope you can help me! :) Thanks!
01-13-2015 11:38 PM
Your NAT is nearly correct. There are just two small things:
1) What do you want to achive with this rule and the corresponding ACL? "permit ip any any" on the outside interface is probably a bad idea. Better to configure the needed ports directly with object NAT and specific ACL-lines.
nat (inside,outside) source static WAN interface
2) The NAT-exemtion is nearly fine. This NAT-rule is typically configured with two more parameters:
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide