09-01-2011
08:03 PM
- last edited on
02-21-2020
11:51 PM
by
cc_security_adm
Hello Everyone!
I have a question about L2L VPN and NAT.
Can I setup VPN tunnel between two ASAs or routers using NAT translation of inside private IP addresses to the single Public IP address on the outside interface and then implement crypto interesting with source of Public IP address and destination of remote Private network on the other end(also ASA). I.e. I want to translate private network to public ip on one end, and use VPN tunnel with public IP address as source. Policy-NAT is not an option, as we really do not want to provide any IP addressing to the remote end and remote end's private IP addresses could be overlapping with our end.
Thanks!
Solved! Go to Solution.
09-01-2011 08:20 PM
Hi There,
You can definetely set up an IPSec tunnel between two devices with translating your private subnet into one single Public IP. You would just need to create the translation and like you mentioned define the interesting traffic using the public IP.
This is exactly what is called policy NAT, I dont understand why you say that Policy NAT is not an option. Perhapps you have misunderstood the concept policy NAT or I have misunderstood your question.
For example, assuming that the private LAN on your side is 172.16.1.0/24, that the remote subnet is 192.168.150.0/24 and that the public IP Address that you intend to use is 200.200.200.200 your NAT config should look something like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
Nat (inside) 6 access-l 199
That would NAT the traffic to the public IP Address only when the traffic matches the ACL.
Then your crypto ACL should be something like
access-list cryptomap permit ip host 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your real address and all they'd see is the public IP Address that you are giving them. Notice that since the NAT takes place on your side only your side will be able to bring the tunnel up.
I hope this helps.
Raga
09-01-2011 08:20 PM
Hi There,
You can definetely set up an IPSec tunnel between two devices with translating your private subnet into one single Public IP. You would just need to create the translation and like you mentioned define the interesting traffic using the public IP.
This is exactly what is called policy NAT, I dont understand why you say that Policy NAT is not an option. Perhapps you have misunderstood the concept policy NAT or I have misunderstood your question.
For example, assuming that the private LAN on your side is 172.16.1.0/24, that the remote subnet is 192.168.150.0/24 and that the public IP Address that you intend to use is 200.200.200.200 your NAT config should look something like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
Nat (inside) 6 access-l 199
That would NAT the traffic to the public IP Address only when the traffic matches the ACL.
Then your crypto ACL should be something like
access-list cryptomap permit ip host 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your real address and all they'd see is the public IP Address that you are giving them. Notice that since the NAT takes place on your side only your side will be able to bring the tunnel up.
I hope this helps.
Raga
09-01-2011 08:29 PM
Thanks man, you are right I misunderstood policy NAT. Wondering if you can drop the same lines of config for ASA 8.4
Thanks again.
09-01-2011 09:04 PM
Sure that would be something like:
object network INSIDE_LAN
subnet 172.16.1.0.255.255.255.0
object network TRANSLATED_HOST
host 200.200.200.200
object network REMOTE_LAN
subnet 192.168.150.0.255.255.255.0
nat (inside,outside) source dynamic INSIDE_LAN TRANSLATED_HOST destination static REMOTE_LAN REMOTE_LAN
You might want to check the following config examples for 8.3/4 in case you need some clarification.
https://supportforums.cisco.com/docs/DOC-9129
Have a good one!
09-02-2011 12:11 PM
Thank you Luis, your answers are very helpful!
Now I am facing another issue with another pair of ASAs, I need to translate incoming IP address (source of the tunnel) to some other IP address on the second ASA after it reached the other side thru VPN tunnel. Say, I have 192.168.0.3 host on ASA1 inside - as the tunnel source and I need this IP address to be translated to 192.168.1.3 after VPN tunnel when packet comes thru ASA2 inside interface configured with IP address 192.168.1.1(same subnet) I am posting my crypto part of the configuration and would highly appreciate your advise on how to modify the nat statements on ASA2 (I believe)
Thank you man!
ASA1
object-group network ASA1ObjectGroup
network-object 192.168.0.0 255.255.255.0
object-group network ASA2ObjectGroup
network-object 192.168.1.0 255.255.255.0
access-list EncryptedTraffic remark ****** Link to ASA 2 ******
access-list EncryptedTraffic extended permit ip object-group ASA1ObjectGroup object-group ASA2ObjectGroup
!
nat (inside,outside) source static ASA1ObjectGroup ASA1ObjectGroup destination static ASA2ObjectGroup ASA2ObjectGroup
!
sysopt connection permit-ipsec
!
crypto ikev1 enable outside
crypto isakmp identity address
!
crypto ikev1 policy 10
hash md5
authentication pre-share
encryption 3des
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec df-bit clear-df outside
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto map mymap 1 match address EncryptedTraffic
crypto map mymap 1 set pfs group2
crypto map mymap 1 set peer 1.1.1.2
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap interface outside
!
group-policy GroupPolicy_1.1.1.2 internal
group-policy GroupPolicy_1.1.1.2 attributes
vpn-tunnel-protocol ikev1 ikev2
exit
!
tunnel-group 1.1.1.2 type ipsec-l2l
!
tunnel-group 1.1.1.2 general-attributes
default-group-policy GroupPolicy_1.1.1.2
!
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
!
ASA2
object-group network ASA2ObjectGroup
network-object 192.168.1.0 255.255.255.0
object-group network ASA1ObjectGroup
network-object 192.168.0.0 255.255.255.0
access-list EncryptedTraffic remark ****** Link to ASA 1 ******
access-list EncryptedTraffic extended permit ip object-group ASA2ObjectGroup object-group ASA1ObjectGroup
!
nat (inside,outside) source static ASA2ObjectGroup ASA2ObjectGroup destination static ASA1ObjectGroup ASA1ObjectGroup
!
sysopt connection permit-ipsec
!
crypto ikev1 enable outside
crypto isakmp identity address
!
crypto ikev1 policy 10
hash md5
authentication pre-share
encryption 3des
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto map mymap 2 match address EncryptedTraffic
crypto map mymap 2 set pfs group2
crypto map mymap 2 set peer 1.1.1.1
crypto map mymap 2 set ikev1 transform-set myset
crypto map mymap interface outside
!
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1 ikev2
exit
!
tunnel-group 1.1.1.1 type ipsec-l2l
!
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
!
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
!
09-02-2011 09:09 PM
Also wondering if there is a way to do that on routers
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide