Hello Cisco Community,

I hope you can provide me your feedback and comments. :)

I´m in a middle of a pre-implementation with a Cisco ASA5505 and Cisco800, creating a site to site VPN, now I´m having some issues in order to separate traffic (VPN traffic and NAT traffic) in ASA5505. Following you can find the current topology:

Local LAN (192.168.1.0/24, 10.10.12.0/24, 192.168.20.254) **ASA5505**  >>>>>>Simulating WAN 192.168.100.0/24<<<<<<<**Cisco800** Local LAN (192.168.3.0/24, 192.168.4.0/24)

After review the Cisco documentation, I´ve not found any document that explains how to créate Object Group NAT configuration and how to separate NAT traffic with object-groups and VPN traffic with object group (this configuration is for multiple local and remote networks.).

The following is the current configuration in both devices ASA and Cisco 800:

ASA5505 Configuration:

ASA5505C# SH RUN
: Saved
:
: Serial Number: JMX1811Z0G2
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname ASA5505C
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
names
!
interface Ethernet0/0
 switchport trunk allowed vlan 1,20
 switchport mode trunk
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address dhcp
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.100.1 255.255.255.0
!
boot system disk0:/asa923-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-local1
 subnet 192.168.1.0 255.255.255.0
object network obj-local2
 subnet 192.168.20.0 255.255.255.0
object network obj-local3
 subnet 10.10.12.0 255.255.255.0
object network remote1
 subnet 192.168.3.0 255.255.255.0
object network remote2
 subnet 192.168.4.0 255.255.255.0
object network internal-lan1
 subnet 192.168.1.0 255.255.255.0
object network internal-lan2
 subnet 192.168.20.0 255.255.255.0
object network internal-lan3
 subnet 10.10.12.0 255.255.255.0
object network internal1
 subnet 192.168.1.0 255.255.255.0
object network internal2
 subnet 192.168.20.0 255.255.255.0
object network internal3
 subnet 10.10.12.0 255.255.255.0
object network WAN
 host 192.168.100.1
object-group network LOCAL
 network-object object obj-local1
 network-object object obj-local2
 network-object object obj-local3
object-group network REMOTE
 network-object object remote1
 network-object object remote2
object-group network INTERNAL
 network-object object internal1
 network-object object internal2
 network-object object internal3
access-list 100 extended permit ip any any
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 121 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 121 extended permit ip 192.168.20.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 121 extended permit ip 192.168.20.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 121 extended permit ip 10.10.12.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 121 extended permit ip 10.10.12.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-732.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static WAN interface
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE
access-group 100 in interface outside
route inside 0.0.0.0 0.0.0.0 192.168.1.254 1
route inside 10.10.12.0 255.255.255.0 192.168.1.254 1
route outside 192.168.3.0 255.255.255.0 192.168.100.2 1
route outside 192.168.4.0 255.255.255.0 192.168.100.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set FirstStep esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto map TME 1 match address 121
crypto map TME 1 set peer 192.168.100.2
crypto map TME 1 set ikev1 transform-set FirstStep
crypto map TME 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map TME interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 anyconnect-essentials
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 192.168.100.2 type ipsec-l2l
tunnel-group 192.168.100.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:abf780eba2e66207e621ad45c23750b8
: end
ASA5505C#

ASA5505C# sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.100.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

Cisco 800 Configuration:

harlie_Cisco877#sh run
Building configuration...

Current configuration : 3298 bytes
!
! Last configuration change at 14:29:12 UTC Tue Jan 13 2015
! NVRAM config last updated at 14:28:27 UTC Tue Jan 13 2015
! NVRAM config last updated at 14:28:27 UTC Tue Jan 13 2015
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Charlie_Cisco877
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.151-4.M9.bin
boot-end-marker
!
!
logging buffered 4096 informational
logging console informational
!
no aaa new-model
!        
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key cisco123 address 192.168.100.1
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 1 ipsec-isakmp
 ! Incomplete
crypto map CMAP 10 ipsec-isakmp
 set peer 192.168.100.1
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
interface Loopback0
 ip address 192.168.4.1 255.255.255.255
 ip nat inside
 ip virtual-reassembly in
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 no ip address
 shutdown
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 192.168.100.2 255.255.255.0
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 crypto map CMAP
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface Vlan2 overload
ip route 10.10.12.0 255.255.255.0 192.168.100.1
ip route 192.168.1.0 255.255.255.0 Vlan2
ip route 192.168.20.0 255.255.255.0 Vlan2
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 10.10.12.0 0.0.0.255
 permit ip 192.168.4.0 0.0.0.255 10.10.12.0 0.0.0.255
!
access-list 100 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.3.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny   ip 192.168.3.0 0.0.0.255 10.10.12.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 10.10.12.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit udp host 192.168.100.1 host 192.168.100.2 eq isakmp
access-list 101 permit icmp any any
access-list 101 permit esp host 192.168.100.1 host 192.168.100.2
access-list 101 permit ip any any log
access-list 101 deny   ip any any log
!
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Charlie_Cisco877#

Charlie_Cisco877#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.100.1   192.168.100.2   QM_IDLE           2006 ACTIVE

IPv6 Crypto ISAKMP SA

Hope you can help me! :) Thanks!