cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
309
Views
0
Helpful
1
Replies

IPSEC site to site vpn with NAT on one of the tunnel endpoints‏

siddiqirf
Level 1
Level 1

Hi All

I am having problems with L2L ipsec VPN, as the tunnel is not initiating at all... I have ASA on the A-end and PIX on B-end. The ASA on the A-end is also doing NAT of both source and destination and it is also tunnel endpoint.

the topology is like this. Note the LAN addresses specified are not directly connected but behind the ASA and PIX

(10.1.1.0/24) ----- --A-end - (ASA)--------------------------- INTERNET -------------------- B-end PIX ---- (10.20.20.0/24)

NAT ON ASA -

10.1.1.1/32 (server) NAT'ed TO 80.2.2.2/32 - SO B-end see's this server as 80.2.2.2 address

10.2.2.0/24 NAT TO 10.20.20.0/24 - So A-end see's B-end subnet as 10.2.2.0/24

The problem is that the tunnel is not even initiating... i have attached config...

A-end ASA

ASA Version 7.2(3)

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 90.1.1.1 255.255.255.128 standby 90.1.1.2

!

interface GigabitEthernet0/2

nameif outside

security-level 0

ip address 80.1.1.1 255.255.255.128 standby 80.1.1.2

access-list proxy_acl extended permit ip host 80.2.2.2 10.20.10.32 10.20.20.0 255.255.255.0

access-list proxy_acl extended permit ip 10.20.20.0 255.255.255.0 80.2.2.2 255.255.255.255

access-list outside extended permit icmp any any

access-list outside extended permit esp any any

access-list outside extended permit udp any any eq isakmp

access-list inside extended permit ip any any

access-list policy-nat-1 extended permit ip 10.0.0.0 255.0.0.0 any

access-list policy-nat-1 extended permit ip 172.16.0.0 255.240.0.0 any

global (outside) 1 100.1.1.1

nat (inside) 1 access-list policy-nat-1

static (inside,outside) 80.2.2.2 10.1.1.1 netmask 255.255.255.255

static (outside,inside) 10.2.2.0 10.20.20.0 netmask 255.255.255.0

access-group inside in interface inside

access-group outside in interface outside

route inside 172.16.0.0 255.240.0.0 90.1.1.5

route inside 10.0.0.0 255.0.0.0 90.1.1.5

route outside 0.0.0.0 0.0.0.0 80.1.1.5

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map CRY-MAP 10 match address proxy_acl

crypto map CRY-MAP 10 set peer 60.1.1.1

crypto map CRY-MAP 10 set transform-set ESP-3DES-SHA

crypto map CRY-MAP 10 set security-association lifetime seconds 28800

crypto map CRY-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

!

tunnel-group 60.1.1.1 type ipsec-l2l

tunnel-group 60.1.1.1 ipsec-attributes

pre-shared-key *

B-end PIX

access-list proxy-acl permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255

access-list no_nat permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255

nat (data) 0 access-list no_nat

crypto ipsec transform-set 3dessha1 esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address proxy-acl

crypto map vpn 10 set peer 80.1.1.1

crypto map vpn 10 set transform-set 3dessha1

crypto map vpn interface outside

isakmp key ******** address 80.1.1.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

1 Reply 1

sibgathullah
Level 1
Level 1

make sure the configuration u do on both the side should be same....and secondly exempt the NAT rules then only it will work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: