Solved: Re: Cisco Asa vpn site to site with nat

fredericmoitie · ‎03-03-2011

Hi all

I need help
I want to make a site site vpn with nat
Site A = 10.0.0.0/24
Site B = 10.1.252.0/24

I would like when the site A goes to site B, either by the ip 172.26.0.0/24

here is my setup

access-list inside_nat_outbound extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0

      tunnel-group x.x.x.x type ipsec-l2l
      tunnel-group x.x.x.x ipsec-attributes
        pre-shared-key !!!!!!!!

isakmp keepalive threshold 10 retry 2

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 2 match address inside_nat_outbound

crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer x.x.x.x

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

nat (inside) 10 inside_nat_outbound

global (outside) 10 172.26.0.1-172.26.0.254

but don't work.

can you help me ?

Regards

Frederic

Federico Coto Fajardo · ‎03-04-2011

You need to make sure that there's no NAT 0 ACL statement because it will take precedence over the static NAT.

You don't need:

global (outside) 10 172.26.0.1-172.26.0.254

nat (inside) 10 access-list nattoyr

Because is going to be replaced with the static NAT.

In short just have:

access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0

access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0

static (inside,outside) 172.26.0.0 access-list nattoyr

crypto map outside_map 2 match address vpntoyr

crypto map outside_map 2 set pfs group5

crypto map outside_map 2 set peer "public ip"

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

tunnel-group "public ip" type ipsec-l2l

tunnel-group "public ip" ipsec-attributes

pre-shared-key *****

- Make sure there's no NAT 0 ACL including the above statements, and check if NAT is happening (sh xlate) and the

traffic is being encrypted (sh cry ips sa)

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-03-2011

Hi,

Let's say we're going to translate Site A to 172.26.0.0/24 and Site B to 172.26.1.0/24

Site A:
access-list NAT permit ip 10.0.0.0 255.255.255.0 172.26.1.0 255.255.255.0
static (in,out) 172.26.0.0 access-list NAT
access-list VPN permit ip 172.26.0.0 255.255.255.0 172.26.1.0 255.255.255.0

Site B:
access-list NAT permit ip 10.1.252.0 255.255.255.0 172.26.0.0 255.255.255.0
static (in,out) 172.26.1.0 access-list NAT
access-list VPN permit ip 172.26.1.0 255.255.255.0 172.26.0.0 255.255.255.0

The ACL VPN is the ACL applied to the crypto map.

Hope it helps.

Federico.

fredericmoitie · ‎03-04-2011

hi

thanks for your reply, i change nat and static but don't work.

so on site B, don't need nat (because is not my Firewall)

on site B vpn was build with 10.1.252.0/24 (real inside IP) to 172.26.0.0/24 (IP nat on site A)

conf on site A now

access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0

global (outside) 10 172.26.0.1-172.26.0.254

nat (inside) 10 access-list nattoyr

static (inside,outside) 172.26.0.0 access-list nattoyr

crypto map outside_map 2 match address vpntoyr
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer "public ip"
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside

tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared-key *****

you see, where i have an error ?

Regards

Frederic

Federico Coto Fajardo · ‎03-04-2011

You need to make sure that there's no NAT 0 ACL statement because it will take precedence over the static NAT.

You don't need:

global (outside) 10 172.26.0.1-172.26.0.254

nat (inside) 10 access-list nattoyr

Because is going to be replaced with the static NAT.

In short just have:

access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0

access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0

static (inside,outside) 172.26.0.0 access-list nattoyr

crypto map outside_map 2 match address vpntoyr

crypto map outside_map 2 set pfs group5

crypto map outside_map 2 set peer "public ip"

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

tunnel-group "public ip" type ipsec-l2l

tunnel-group "public ip" ipsec-attributes

pre-shared-key *****

- Make sure there's no NAT 0 ACL including the above statements, and check if NAT is happening (sh xlate) and the

traffic is being encrypted (sh cry ips sa)

Federico.

fredericmoitie · ‎03-04-2011

Hi federico

i delete nat and global

anf it's works.

many thanks for your help

regards

Frederic

Federico Coto Fajardo · ‎03-04-2011

Glad it worked :-)

Please consider rating the thread and mark it as answered if you find it helpful.

Cheers!

Federico.

fasteddye · ‎08-16-2011

I have tried the suggested above with no luck. My scenario may be a bit different so that is why it is not working. We have a site to site vpn that does not go across the public internet. It is basically going over a layer 2 vlan from site A to site B. The site to site tunnel is up and working. I can ping both ways to hosts. We need to do a NAT so site A sees site B as its network. There are only 2 hosts on site B side.

I removed the Nat 0 statement and tried the below static nat statement. I am unable to ping from site A to site B as (ex. pinging 10.207.1.232 from site A where the host at site B is 10.207.2.232).

Site A - 10.207.1.x

Site B - 10.207.2.x

Outside A - 192.168.207.1/30

Outside B - 192.168.207.2/30

access-list outside_1_cryptomap extended permit ip 10.207.2.0 255.255.255.0 10.207.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.207.2.0 255.255.255.0 10.207.1.0 255.255.255.0

nat static (inside, outside) 10.207.2.0 inside_nat0_outbound

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 192.168.207.1

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.207.1
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside

Thanks for any insight!