Thank you Luis, your answers are very helpful!
Now I am facing another issue with another pair of ASAs, I need to translate incoming IP address (source of the tunnel) to some other IP address on the second ASA after it reached the other side thru VPN tunnel. Say, I have 192.168.0.3 host on ASA1 inside - as the tunnel source and I need this IP address to be translated to 192.168.1.3 after VPN tunnel when packet comes thru ASA2 inside interface configured with IP address 192.168.1.1(same subnet) I am posting my crypto part of the configuration and would highly appreciate your advise on how to modify the nat statements on ASA2 (I believe)
Thank you man!
ASA1
object-group network ASA1ObjectGroup
network-object 192.168.0.0 255.255.255.0
object-group network ASA2ObjectGroup
network-object 192.168.1.0 255.255.255.0
access-list EncryptedTraffic remark ****** Link to ASA 2 ******
access-list EncryptedTraffic extended permit ip object-group ASA1ObjectGroup object-group ASA2ObjectGroup
!
nat (inside,outside) source static ASA1ObjectGroup ASA1ObjectGroup destination static ASA2ObjectGroup ASA2ObjectGroup
!
sysopt connection permit-ipsec
!
crypto ikev1 enable outside
crypto isakmp identity address
!
crypto ikev1 policy 10
hash md5
authentication pre-share
encryption 3des
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec df-bit clear-df outside
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto map mymap 1 match address EncryptedTraffic
crypto map mymap 1 set pfs group2
crypto map mymap 1 set peer 1.1.1.2
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap interface outside
!
group-policy GroupPolicy_1.1.1.2 internal
group-policy GroupPolicy_1.1.1.2 attributes
vpn-tunnel-protocol ikev1 ikev2
exit
!
tunnel-group 1.1.1.2 type ipsec-l2l
!
tunnel-group 1.1.1.2 general-attributes
default-group-policy GroupPolicy_1.1.1.2
!
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
!
ASA2
object-group network ASA2ObjectGroup
network-object 192.168.1.0 255.255.255.0
object-group network ASA1ObjectGroup
network-object 192.168.0.0 255.255.255.0
access-list EncryptedTraffic remark ****** Link to ASA 1 ******
access-list EncryptedTraffic extended permit ip object-group ASA2ObjectGroup object-group ASA1ObjectGroup
!
nat (inside,outside) source static ASA2ObjectGroup ASA2ObjectGroup destination static ASA1ObjectGroup ASA1ObjectGroup
!
sysopt connection permit-ipsec
!
crypto ikev1 enable outside
crypto isakmp identity address
!
crypto ikev1 policy 10
hash md5
authentication pre-share
encryption 3des
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto map mymap 2 match address EncryptedTraffic
crypto map mymap 2 set pfs group2
crypto map mymap 2 set peer 1.1.1.1
crypto map mymap 2 set ikev1 transform-set myset
crypto map mymap interface outside
!
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1 ikev2
exit
!
tunnel-group 1.1.1.1 type ipsec-l2l
!
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
!
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
!
