cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3300
Views
0
Helpful
7
Replies

L2L VPN configuration on ASA 5520 usind NATed IP

sojiajayi
Level 1
Level 1

i have a client that has a cisco asa firewall with a private IP on the outside interface, a pool of public ip addresses is also supplied for access to the internet, thees public ip addresses are not assigned to any interface, instead they are used in NAT (some static and some dynamic). there is now a requirement to setup VPN tunnels between this site and other sites running non-cisco vpn devices.

Is it possible to configure VPN on the firewall to terminate on the outside interface but use one of the Public IP as the peer IP, if so, how?

7 Replies 7

Soji,

You should terminate the tunnel on an IP assigned to an interface on the ASA.

An option would be to terminate the tunnel on the next-hop device facing the Internet and have a static NAT for the outside IP of the ASA.

Let's say you have:

LAN - ASA - Router - Internet

Then, on the router you can configure a static NAT for the outside IP of the ASA, and still have all the VPN configuration on the ASA.

When the peers establish a VPN tunnel with the ASA, they will point to the public IP of the router, which will redirect the VPN traffic to the ASA.

Is this an option for you?

Federico.

for now, i do not have the prower to place a router between the ASA and the ISP's router with also has private IP addresses. is it possible to terminate the VPN on another interface and configure a static NAT on the ASA for the interface IP to map to one of the public IPs?

i have a LAN interface, a DMZ interface with hosts all the servers to be accesses by the VPN and the outside interface connected to the ISP which i have little control of. is it possible to configure a static NAT for the DMZ interface on the firewall and configure the VPN to terminate on the DMZ interface?

Soji,

If you're considering to terminate the VPN tunnels on the DMZ interface is because you can place a public IP on that interface?

If so, yes you can terminate the VPN on the DMZ interface, as long as having the routing configured properly.

But in this case, the VPN will actually terminate on the DMZ (there cannot be a static NAT to redirect the VPN to the outside interface).

But terminating the VPN on the DMZ will work fine.

Federico.

i finaly gpt perm

ision and placed a router before the firewall, the router

now has the private ip initially on the outside in

terface of the firewall. the ouside inte

rface of the firewall now has a public IP

and connected to the internal interface of the router like below.

Internal router ------ [Inside interface] Firewalll [Ouside interface]----- [internal interface]Router[External interface]----internet

i am terminating my vpn on the Ouside interface now and the tunnel is up but i cant get any ttraffic throguh. packets that is supposed to pass through the tunnel on the outside interface are going through the WAN interface which is where they are suppsoed to pass if there was no tunnel.

what am i doing wrong? is it that the static routing table has precedence over the tunnels or am i missing something? below is part of my config(modified) i feel is relevant

names
name 172.21.11.106 extranetsvr description Extranet Server
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 63.174.45.81 255.255.255.248
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 30
ip address 172.21.11.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif wan
security-level 50
ip address 192.168.201.18 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
object-group network DMZ_SUBNET
network-object 172.21.11.0 255.255.255.0
object-group network INSIDE_SUBNET
network-object 192.168.1.0 255.255.255.0
object-group service intranetservergrp tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group icmp-type ping
description ping group
icmp-object echo
icmp-object echo-reply
object-group network SIDMACH_LAN
network-object 192.168.114.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp any any object-group ping
access-list inside_access_in extended permit ip object-group INSIDE_SUBNET any
access-list inside_access_in extended permit icmp any any object-group ping
access-list sidmach_vpn extended permit ip object-group DMZ_SUBNET object-group SIDMACH_LAN
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any object-group ping
access-list wan_access_in extended permit ip any any
access-list wan_access_in extended permit icmp any any object-group ping
access-list inside_pnat_outbound extended permit ip 192.168.1.0 255.255.255.0 any

global (Outside) 1 63.174.45.84 netmask 255.255.255.248
global (wan) 10 172.21.11.200-172.21.11.250 netmask 255.255.255.0
nat (dmz) 1 172.21.11.0 255.255.255.0
static (Inside,Outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,Outside) 63.174.45.82 extranetsvr netmask 255.255.255.255
static (dmz,Outside) 63.174.45.83 172.21.11.107 netmask 255.255.255.255
access-group outside_access_in in interface Outside
access-group inside_access_in in interface Inside
access-group dmz_access_in in interface dmz
access-group wan_access_in in interface wan
route Outside 0.0.0.0 0.0.0.0 63.174.45.86 1
route Inside 192.168.1.0 255.255.255.0 10.10.10.1 1
route dmz 10.5.0.0 255.255.255.0 172.21.11.5 1
route wan 10.0.0.0 255.0.0.0 192.168.201.17 1
route wan 172.21.0.0 255.255.0.0 192.168.201.17 1
route wan 172.23.1.0 255.255.255.0 192.168.201.17 1
route wan 192.168.0.0 255.255.0.0 192.168.201.17 1


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 match address sidmach_vpn
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 70.238.11.18
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface Outside
isakmp identity auto
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp nat-traversal  20

tunnel-group 70.238.11.18 type ipsec-l2l
tunnel-group 70.238.11.18 ipsec-attributes
pre-shared-key *pre-shared-key

The problem here is that you NAT everything, so the traffic reaching the outside interface (post-NAT) does not match your VPN access list:

global (Outside) 1 63.174.45.84 netmask 255.255.255.248


nat (dmz) 1  172.21.11.0 255.255.255.0

In order for this to work, add the commands:

access-list dmz_nat_0 extended permit ip object-group DMZ_SUBNET  object-group SIDMACH_LAN

nat (dmz) 0 access-list dmz_nat_0

This should do it! As the VPN traffic will bypass the NAT.

Please rate if it helped

Regards,

Daniel

Thanks Daniel

I could never have thought of the NAT in a million years. I have applied what you gave me and I can initiate connection from the remote site and connect though the tunnel but connecting from remote to this site is still not working and doing a trace shows that the packet is still going through the wan interface as configured in the static route table instead of the tunnel. it is like the tunnel is set up for one direction only (inbound)

Hi Ajavi,

The problem is the routing. You have a route pointing to the WAN:

route wan 192.168.0.0 255.255.0.0 192.168.201.17 1

This means that even the "VPN traffic" goes to WAN interface, thus not reaching the Outside where the crypto map is.

Remember that ASA only tunnels a flow in VPN if the traffic reaches the interface where the crypto map is applied.

So, to solve the problem add:

route Outside 192.168.114.0 255.255.255.0 63.174.45.86 1

You also should permit the traffic on the DMZ interface (for outbound traffic):

access-list dmz_access_in extended permit ip object-group DMZ_SUBNET object-group SIDMACH_LAN

I believe this should do it.

Regards,

Daniel