02-04-2010 07:07 AM
Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs? The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)
I have four hosts that need to access a device at the remote location via an IPSec tunnel. They are:
local hosts:
192.168.2.10, 11, 12, 13
Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52
remote host:
168.12.10.6
thanks for any help.
Solved! Go to Solution.
02-04-2010 08:30 AM
jkeeffe wrote:
Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs? The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)
I have four hosts that need to access a device at the remote location via an IPSec tunnel. They are:
local hosts:
192.168.2.10, 11, 12, 13
Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52
remote host:
168.12.10.6
thanks for any help.
Yes you can do this.
object-group network localhosts
network-object host 192.168.2.10
network-object host 192.168.2.11
etc..
access-list VPN permit ip object-group localhosts host 168.12.10.6
nat (inside) 1 access-list VPN
global (outside) 1 interface
crypto-map access-list would then look like this -
access-list VPNTRAFFIC permit ip host 205.188.15.34 host 168.12.10.6
One thing to note. The NAT example above is policy NAT ie. if the source is 192.168.2.10 -> 13 and the destination is 168.12.10.6 then NAT the source to the public IP 205.188.15.34. However you may already have something like this in your config -
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
ie. you are natting all your private addresses to the public interface address for general internet access. If you do have this then there is no need to do policy NAT and you could miss out these lines as the source addresses will be Natted anyway -
object-group network localhosts
network-object host 192.168.2.10
network-object host 192.168.2.11
etc..
access-list VPN permit ip object-group localhosts host 168.12.10.6
nat (inside) 1 access-list VPN
global (outside) 1 interface
Jon
02-04-2010 08:30 AM
jkeeffe wrote:
Using an ASA-5505, I only have private IPs on the local LAN and one public IP address from my ISP for the peer address. Can I use that same peer IP address as a PAT or NAT for my internal local private IPs? The remote VPN location policy is to not allow private IP address on to their local network, so they want public addresses from me. If that is possible, could you please show me a simple 5505 config example using the following IPs? (I don't need the IPSec config, only the ACL/NAT config)
I have four hosts that need to access a device at the remote location via an IPSec tunnel. They are:
local hosts:
192.168.2.10, 11, 12, 13
Say my public peer address is 205.188.15.34 and the remote peer is 175.10.144.52
remote host:
168.12.10.6
thanks for any help.
Yes you can do this.
object-group network localhosts
network-object host 192.168.2.10
network-object host 192.168.2.11
etc..
access-list VPN permit ip object-group localhosts host 168.12.10.6
nat (inside) 1 access-list VPN
global (outside) 1 interface
crypto-map access-list would then look like this -
access-list VPNTRAFFIC permit ip host 205.188.15.34 host 168.12.10.6
One thing to note. The NAT example above is policy NAT ie. if the source is 192.168.2.10 -> 13 and the destination is 168.12.10.6 then NAT the source to the public IP 205.188.15.34. However you may already have something like this in your config -
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
ie. you are natting all your private addresses to the public interface address for general internet access. If you do have this then there is no need to do policy NAT and you could miss out these lines as the source addresses will be Natted anyway -
object-group network localhosts
network-object host 192.168.2.10
network-object host 192.168.2.11
etc..
access-list VPN permit ip object-group localhosts host 168.12.10.6
nat (inside) 1 access-list VPN
global (outside) 1 interface
Jon
02-04-2010 09:06 AM
I have one other VPN connection through this ASA. Will your example plug right into what is already there? Here is the other VPN config:
crypto isakmp identity address
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
exit
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
sysopt connection permit-ipsec
tunnel-group 218.151.3.111 type ipsec-l2l
tunnel-group 218.151.3.111 ipsec-attributes
pre-shared-key xxxxxxxxx
isakmp keepalive disable
exit
access-list IMAGE extended permit ip host 10.12.203.3 160.14.0.0 255.255.0.0
access-list NAT1 extended permit ip host 192.168.2.10 160.14.0.0 255.255.0.0
static (inside,outside) 10.12.203.3 access-list NAT1 0 0
crypto map outside1_map 20 match address IMAGE crypto map outside1_map 20 set peer 218.151.3.111
crypto map outside1_map 20 set transform-set ESP-3DES-MD5
crypto map outside1_map 20 set security-association lifetime seconds 3600
02-04-2010 09:19 AM
jkeeffe wrote:
I have one other VPN connection through this ASA. Will your example plug right into what is already there? Here is the other VPN config:
crypto isakmp identity address
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
exitcrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
sysopt connection permit-ipsec
tunnel-group 218.151.3.111 type ipsec-l2l
tunnel-group 218.151.3.111 ipsec-attributes
pre-shared-key xxxxxxxxxisakmp keepalive disable
exit
access-list IMAGE extended permit ip host 10.12.203.3 160.14.0.0 255.255.0.0
access-list NAT1 extended permit ip host 192.168.2.10 160.14.0.0 255.255.0.0
static (inside,outside) 10.12.203.3 access-list NAT1 0 0
crypto map outside1_map 20 match address IMAGE crypto map outside1_map 20 set peer 218.151.3.111
crypto map outside1_map 20 set transform-set ESP-3DES-MD5
crypto map outside1_map 20 set security-association lifetime seconds 3600
The 2 should not conflict with each other as each has a separate crypto map access-list so you should be okay.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide