02-14-2012 02:46 PM
In looking for examples for this type of info the only thing close to what we want to do is this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml
We have a new third party company that needs access to our main site and the other VPN site. We want to NAT the third party companies IPs (belgium).
Below our the configurations that we think are working.
The configuration allows for Belgium to initiate communication.
Hub(config)# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname NEC-Hub
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.83.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list retail extended permit ip 172.16.83.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list belgium extended permit ip 172.16.83.0 255.255.255.0 192.168.42.0 255.255.255.248
access-list belgium extended permit ip 172.16.1.0 255.255.255.0 192.168.42.0 255.255.255.248
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 2 172.16.83.100-172.16.83.150
global (outside) 1 interface
nat (inside) 0 access-list retail
nat (outside) 2 192.168.42.0 255.255.255.248
route outside 0.0.0.0 0.0.0.0 x.x.54.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
crypto ipsec transform-set aes256 esp-aes esp-sha-hmac
crypto map outside_map 3 match address retail
crypto map outside_map 3 set peer x.x.54.158
crypto map outside_map 3 set transform-set aes128
crypto map outside_map 4 match address belgium
crypto map outside_map 4 set peer x.x.54.157
crypto map outside_map 4 set transform-set aes256
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
username dberry password j1w0Nw.TRRF.yJBG encrypted privilege 15
username cits password apnB12ZmUe8JqSD4 encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group x.x.54.158 type ipsec-l2l
tunnel-group x.x.54.158 ipsec-attributes
pre-shared-key *
tunnel-group x.x.54.157 type ipsec-l2l
tunnel-group x.x.54.157 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:618f483d3a1e23eab56ba4a78acf2508
: end
Belgium(config)# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname Belgium
domain-name necam.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.42.1 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.54.157 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name necam.com
access-list nec_hawaii extended permit ip 192.168.42.0 255.255.255.248 172.16.83.0 255.255.255.0
access-list nec_hawaii extended permit ip 192.168.42.0 255.255.255.248 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nec_hawaii
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.54.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 1.1.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
crypto map necmap 1 match address nec_hawaii
crypto map necmap 1 set peer x.x.54.138
crypto map necmap 1 set transform-set aes128
crypto map necmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group x.x.54.138 type ipsec-l2l
tunnel-group x.x.54.138 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:870af263e897d109ab569c6f08e0632a
: end
HawaiiRet(config)# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname HawaiiRet
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.54.158 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list nec extended permit ip 172.16.1.0 255.255.255.0 172.16.83.0 255.255.255.0
access-list nec extended permit ip 172.16.1.0 255.255.255.0 192.168.42.0 255.255.255.248
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nec
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.54.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map necmap 1 match address nec
crypto map necmap 1 set peer x.x.54.138
crypto map necmap 1 set transform-set aes128
crypto map necmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group x.x.54.138 type ipsec-l2l
tunnel-group x.x.54.138 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:c890fe9ee21aa68e16549947783b0d83
: end
02-14-2012 06:37 PM
Whichever ASA is the hub, you're missing the ACL that allows one remote network to talk to the other remote network. Looks like you're allowing it one way.
For example
access-list belgium extended permit ip 172.16.83.0 255.255.255.0 192.168.42.0 255.255.255.248
access-list belgium extended permit ip 172.16.1.0 255.255.255.0 192.168.42.0 255.255.255.248
access-list belgium extended permit ip 192.168.42.0 255.255.255.0 172.16.1.0 255.255.255.248
This may work for you but I've never seen anyone match access list in a crypto map with the same nat 0 ACL. If it works, that's pretty cool. Otherwise, you should have separate ACLs.
Good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide