Re: how to configure NAT-T and Ipsec site-site VPN

caojunjie · ‎06-10-2011

10.80.128.0---------ASA5200:192.168.1.2---------------------PAT firewall 7800-----------100.100.100.100:ASA5200----10.80.192.0

Hi,pls check this diagram and configuration,is there something wrong

1:I need 10.80.128.0---10.80.192.0 connect via ipsec

2:192.168.1.1 is pat to 100.100.100.99 in PAT firewall 7800

here is my configuration and need expert to answer some question

access-list 101 extended permit ip 10.80.128.0 255.255.192.0 10.80.192.0 255.255.192.0

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp key cjj198411 address 1.1.1.1

crypto ipsec transform-set SET esp-md5-hmac esp-des

crypto map VPN 10 match address 101
crypto map VPN 10 set peer 1.1.1.1
crypto map VPN 10 set transform-set SET

sjvpvpnASA(config)# interface GigabitEthernet 0/1
sjvpvpnASA(config-if)# crypto map VPN

1:in crypto map VPN 10,how does it map to the crypto isakmp policy?

2:how does NAT-T work? configure NAT-T in PAT firewall 7800 or ASA?

and how ?

thanks very much

caojunjie · ‎06-10-2011

1:how NAT-T affect the two phase (main mode and quick mode) in negotiation ?

2:how the NAT-T(udp 4500) affect the data plane when there is traffic

it is better if someone can can me a diagram of the traffic to explain this

I appreciate this very much

3:there is 10 in cry map VPN 10 and crypto isakmp policy 10,do they have some connection with each other

caojunjie · ‎06-10-2011

the current version is as below,should I upgrade it?

sjvpvpnASA(config)# show version

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

sjvpvpnASA up 35 days 5 hours

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0014.6a21.ba82, irq 9
1: Ext: GigabitEthernet0/1 : address is 0014.6a21.ba83, irq 9
2: Ext: GigabitEthernet0/2 : address is 0014.6a21.ba84, irq 9
3: Ext: GigabitEthernet0/3 : address is 0014.6a21.ba85, irq 9
4: Ext: Management0/0       : address is 0014.6a21.ba81, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Not used            : irq 5
7: Ext: GigabitEthernet1/0 : address is 001a.e268.5e81, irq 255
8: Ext: GigabitEthernet1/1 : address is 001a.e268.5e82, irq 255
9: Ext: GigabitEthernet1/2 : address is 001a.e268.5e83, irq 255
10: Ext: GigabitEthernet1/3 : address is 001a.e268.5e84, irq 255
11: Int: Internal-Data1/0    : address is 0000.0003.0002, irq 255

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 25
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1001K0G0
Running Activation Key: 0x6031e67c 0x44029cc6 0x78b3711c 0x811c1c84 0x0c2904a8
Configuration register is 0x1

mohankumarm · ‎06-10-2011

Hi Junjie,

To the best of my knowledge the current ASA version is 8.4 and supports IKEv2. I am not sure if there are any specific issues with your current running version 8.0(4), but please be aware that 8.3 onwards the NAT rules configuration is "object oriented" rather than the usual "inside" and global (nat) commands that everybody is familiar with. Please confirm if you need an upgrade at all!

For the IPsec configuration, your configuration looks more like applying in a IOS router than a firewall.

1. There is no relation per se to the crypto isakmp policy number and the crypto map Number, so this can be 1,10 or 2,20 etc respectively.

2. the crypto map isakmp key command is actually under a tunnel group that you need set up for L2L and ipsec attributes, so entering this old type of command on new ASA versions will automatically put you into tunnel group configurations and the "crypto isakmp key" config disappears

3. On ASA you enable crypto map not under the interface but apply both crypto policy and crypto map on generally "ASA outside interfaces" unlike what you have configured like a router.

4. Please keep encryption and hash on the crypto isakmp policies and transform sets the same.

In the above configs, you have encryption as 3des and hash as md5 in the policy, whereas its des and md5 on the transform set

5. NAT-Traversal is a feature that lets you implement IPsec over a NAT firewall. This is available with 1:1 NAT only on the firewall, but not sure if it works with PAT. Can you confirm where your VPN policies are implemented at the remote end? is it on the firewall or on the 10.80.192.0 ASA private network. I think you may have to allow UDP 500,4500 and ESP (50) on the firewall for this to work. I am having a similar issue which is not resolved for similar type of network but 1:1 NAT.

caojunjie · ‎06-10-2011

can u give me an example of configuration refred to my case

it is a simple one

I think

yes,I copy this from a IOS ,so it looks like a router configuration

caojunjie · ‎06-22-2011

Can someone give me a copy of standard configuration in ASA