Solved: IPsec site to site VPN with PAT through tunnel configuration example

2colin-cant · ‎09-17-2010

Hi,

as i read a lot regarding vpn site-2-site connections
and having to PAT through it i still have not found a configuration example for it on e ASA 55xx.

now i've got following setup with two sites A and B.

192.168.0.0/24 Site A ---------ipsec----------Site B 192.168.200.0/24
172.16.16.0/24 Site A

---------------------------------------------------------------------------

Host 192.168.0.4 --> PATed to IP: 192.168.0.3 -> to 192.168.200.20
Host 192.168.0.127 --> PATed to IP: 192.168.0.3 -> to 192.168.200.20
Host 192.168.0.129 --> PATed to IP: 192.168.0.3 -> to 192.168.200.20
Host 192.168.0.253 --> PATed to IP: 192.168.0.3 -> to 192.168.200.20

Host 172.16.16.127 --> PATed to IP: 192.168.0.3 -> to 192.168.200.20
Host 172.16.16.253 --> PATed to IP: 192.168.0.3 -> to 192.168.200.20

---------------------------------------------------------------------------

Now as i've got hosts around within the networks 172.16.16.0 as well as 192.168.0.0,
witch need to access a terminal server over at SITE B.

As i have no influence regarding where and when does hosts pop up in my Site A,
i would like to hide them behind one single ip address toward the SITE B.

So in the event that a new hosts need access, or old hosts can be deleted,
its as easy as adding/deleting the ACL entry or more conviniently the network object.

so i guess the acl looks something like this:

---------------------------------------------------------------------------

access-list VPN-PATED-HOSTS permit ip host 192.168.0.4 host 192.168.200.20
access-list VPN-PATED-HOSTS permit ip host 192.168.0.127 host 192.168.200.20
access-list VPN-PATED-HOSTS permit ip host 192.168.0.129 host 192.168.200.20
access-list VPN-PATED-HOSTS permit ip host 192.168.0.253 host 192.168.200.20
access-list VPN-PATED-HOSTS permit ip host 172.16.16.127 host 192.168.200.20
access-list VPN-PATED-HOSTS permit ip host 172.16.16.253 host 192.168.200.20

---------------------------------------------------------------------------

But, now my big question is, how do i tell the asa to use: 192.168.0.3 as the
address for the PAT translation?

something like this will tell it, it has to be handled according by the policy:

nat (inside) 1 access-list VPN-PATED-HOSTS

Now how do i do that?
The rest of the config i guess will be quite normal as follows:

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer AA.BB.CC.DD
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600

access-list outside_1_cryptomap extended permit ip host 192.168.0.3 host 192.168.200.20

---------------------------------------------------------------------------

On SITE B

the config is pretty straight forward:

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer SITE A IP
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600

access-list outside_1_cryptomap extended permit ip host 192.168.200.20 host 192.168.0.3

access-list inside_nat0_outbound extended permit ip host 192.168.200.20 host 192.168.0.3

---------------------------------------------------------------------------

thank you for youre additional eyes and precious time!

Colin

Federico Coto Fajardo · ‎09-17-2010

You want to PAT the traffic that will go through the tunnel?

access-list PAT permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list PAT permit ip 172.16.16.0 255.255.255.0 192.168.200.0 255.255.255.0

nat (inside) 1 access-list PAT

global (outside) 1 192.168.0.3 255.255.255.255

Then the VPN ACL applied to the crypto map:

access-list vpn permit ip host 192.168.0.3 192.168.200.0 255.255.255.0

So, all traffic from Site A will be PATed when going to remote 192.168.200.0/24

The interesting thing is that traffic can only be initiated from your end.

The remote end cannot initiate traffic to 192.168.0.3 if there's not a dynamic translation build on your side.

Is this what you're looking for?

Federico.

View solution in original post

Federico Coto Fajardo · ‎09-17-2010

You want to PAT the traffic that will go through the tunnel?

access-list PAT permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list PAT permit ip 172.16.16.0 255.255.255.0 192.168.200.0 255.255.255.0

nat (inside) 1 access-list PAT

global (outside) 1 192.168.0.3 255.255.255.255

Then the VPN ACL applied to the crypto map:

access-list vpn permit ip host 192.168.0.3 192.168.200.0 255.255.255.0

So, all traffic from Site A will be PATed when going to remote 192.168.200.0/24

The interesting thing is that traffic can only be initiated from your end.

The remote end cannot initiate traffic to 192.168.0.3 if there's not a dynamic translation build on your side.

Is this what you're looking for?

Federico.

2colin-cant · ‎09-18-2010

Hi federico,

exactly, ive got 172.16.16.0 and 192.168.0.0 networks witch need to be hidden behind 192.168.0.3 witch i want to use in order to communicate through the tunnel to the terminal server at 192.168.200.20 on the other side.

as my config looks like this at the moment, there is no traffic flowing through, my guess its a nat issue.

The tunnel itself is up as it looks of the isakmp output.

here's my current, NOT working config:

access-list VPN-TUNNEL-PAT extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list VPN-TUNNEL-PAT extended permit ip 172.16.16.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip host 192.168.0.3 192.168.200.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.XX.XX.XX
crypto map outside_map 1 set transform-set ESP-AES-128-SHA

nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 access-list VPN-TUNNEL-PAT

global (outside) 1 interface
global (outside) 1 192.168.0.3 netmask 255.255.255.255

---------------------------------------------------------------------

show isakmp sa detail:

2   IKE Peer: X.XX.XX.XX
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes             Hash    : SHA
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 28761

---------------------------------------------------------------------

Crypto map tag: outside_map, seq num: 1, local addr: XX.XX.XX.XX

      access-list VPN-TUNNEL-PAT permit ip host 192.168.0.3 192.168.200.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.0.3/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      current_peer: XX.XX.XX.XX

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: XX.XX.XX.XX

      path mtu 1475, ipsec overhead 74, media mtu 1500
      current outbound spi: 0832DCF9
      current inbound spi : 8C59C9A4

    inbound esp sas:
      spi: 0x8C59C9A4 (2354694564)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 1105920, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28704
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x0832DCF9 (137551097)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 1105920, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28703
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

2colin-cant · ‎09-18-2010

well, i guess i found the mistake:

global (outside) 1 interface
global (outside) 1 192.168.0.3 netmask 255.255.255.255

and now running:

nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 2 access-list VPN-TUNNEL-PAT

global (outside) 1 interface
global (outside) 2 192.168.0.3 netmask 255.255.255.255

==========================================================================================

The NOW RUNNING config:

object-group network HOSTS-TO-PAT-VIA-TUNNEL
network-object host 192.168.0.80
network-object host 192.168.0.253
network-object host 172.16.16.27
network-object host 172.16.16.254

access-list VPN-TUNNEL-PAT extended permit ip object-group HOSTS-TO-PAT-VIA-TUNNEL 192.168.200.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip host 192.168.0.3 192.168.200.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.XX.XX.XX
crypto map outside_map 1 set transform-set ESP-AES-128-SHA

nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 2 access-list VPN-TUNNEL-PAT

global (outside) 1 interface
global (outside) 2 192.168.0.3 netmask 255.255.255.255

thats it!

now the hosts specified int HOSTS-TO-PAT-VIA-TUNNEL get translated to 192.168.0.3 and access 192.168.200.20 on the other tunnel end.

Thank you Federico for youre valueable tipp! Hope this config helps others to achieve there goals more efficiently.

Regards Colin