cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1816
Views
0
Helpful
5
Replies

NAT before going over a VPN Tunnel Cisco SA520 or ASA

tony.hanson
Level 1
Level 1

I have a friend who ask me to try to help.  We're setting up a site to site VPN with a customer.  Our side is a Cisco sa520 and there side is a Checkpoint. The tunnel is up, we've verified phase 1 and 2 are good. The issue is passing traffic accross the tunnel, our LAN ip address are private addresses 10.10.1.0/24  but the customer states that we need to have a public IP address for our LAN in order to access there server on there LAN.  So looking through all the forums, I see that you can NAT before crossing the VPN tunnel, but our issue is that our site only has 6 IP addresses assigned to it and those are the comcast router, the WAN side of the SA520 firewall.  So we were wondering was there a way that we can either use the WAN interface on the SA520 or use another available of the 6 that were assigned to NAT and pass traffic accross the tunnel.  Sounds confusing?  sorry but it is, rarely do I have a customer say I have to have a public IP for my side of the LAN.  Now I also say this is a SA520 firewall, but if it's not possible to do with that is there a way were could with an ASA5505?

Any Help or direction would be very helpful.

1 Accepted Solution

Accepted Solutions

Hi,

I guess I could quickly write up a basic configuration. Cant be sure I remember all correctly. But should be most of it.

Some of the parameters ofcourse can be different depending on what kind of L2L VPN connection parameters you have decided on.

Naturally there is also alot of basic configuration that is not mentioned below.

For example

  • Management and AAA configurations
  • DHCP for LAN
  • Logging
  • Interface "no shutdown"
  • etc

Information for below parameters

  • x.x.x.x = ASA "outside" interface public IP
  • y.y.y.y = ASA "outside" interface network mask
  • z.z.z.z = ASA "outside" default gateway IP address
  • a.a.a.a = L2L VPN remote site network address
  • b.b.b.b = L2L VPN remote site network mask
  • c.c.c.c = L2L VPN remote site VPN device public peer IP address
  • PSK = The Pre Shared Key for the L2L VPN connection

Interfaces - Default Route - Access-list

interface Vlan2

description WAN

nameif outside

security-level 0

ip add x.x.x.x y.y.y.y

route outside 0.0.0.0 0.0.0.0 z.z.z.z

interface Ethernet0

description WAN Access

switchport access vlan 2

  • All interfaces are on Vlan1 by default so their "switchport access vlan x" wont have to be configured

interface Vlan1

description LAN

nameif inside

security-level 100

ip add 10.10.1.0 255.255.255.0

access-list INSIDE-IN remark Allow all traffic from LAN

access-list INSIDE-IN permit ip 10.10.1.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

NAT and L2L VPN configuration - ASA Software 8.2 and earlier

global (outside) 1 interface

nat (inside) 1 10.10.1.0 255.255.255.0

crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

access-list L2L-VPN-CRYPTOMAP permit ip host x.x.x.x a.a.a.a b.b.b.b

crypto map WAN-CRYPTOMAP 10 match address L2L-VPN-CRYPTOMAP

crypto map WAN-CRYPTOMAP 10 set peer c.c.c.c

crypto map WAN-CRYPTOMAP 10 set transform-set AES-256

crypto map WAN-CRYPTOMAP 10 set security-association lifetime seconds 3600

crypto map WAN-CRYPTOMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

pre-shared-key PSK

NAT and L2L VPN configuration - ASA Software 8.3 and after

nat (inside,outside) after-auto source dynamic any interface

crypto ipsec ikev1 transform-set AES-256 esp-aes-256 esp-sha-hmac

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

access-list L2L-VPN-CRYPTOMAP permit ip host x.x.x.x a.a.a.a b.b.b.b

crypto map WAN-CRYPTOMAP 10 match address L2L-VPN-CRYPTOMAP

crypto map WAN-CRYPTOMAP 10 set peer c.c.c.c

crypto map WAN-CRYPTOMAP 10 set ikev1 transform-set AES-256

crypto map WAN-CRYPTOMAP 10 set security-association lifetime seconds 3600

crypto map WAN-CRYPTOMAP interface outside

crypto isakmp identity address

crypto ikev1 enable outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

ikev1 pre-shared-key PSK

Hopefully the above information has been helpfull Please do rate if you have found it helpfull

If it comes down to configuring the connection with the ASA5505 and the above configuration doesnt cut it, dont hesitate to ask more

- Jouni

View solution in original post

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I also wonder why would they want you to use a public IP address on a L2L VPN connection.

How is your L2L VPN configured at the moment with regards to the local and remote network? You said that the L2L VPN is up so is it at the moment using private IP address ranges on both sides and you need to change it to use public IP address on your side?

If this is the case then I guess you could simply change that your side network for the L2L VPN is the public IP address of your VPN device as it probably already has some sort of default PAT translation rule.

Naturally configuring the L2L VPN in this way (using Dynamic PAT towards the remote end) would mean that only your site could initiate connections towards the remote site as the remote site wouldnt have any destination IP address to connect to since you are only doing Dynamic PAT towards them.

Sadly I am not familiar with the SA520. I've only dealt with the Cisco FWSM, PIX and ASA models.

- Jouni

Thanks for you reply.  I setup the L2L from my private address 10.10.1.0/24 to there LAN which is public but he says that they translate that after it crosses the tunnel and before it gets to the tunnel from there LAN. (2way).  If you could explain a little more about the Dynamic PAT towards the remote end, our site should be the only one to initiate the VPN so that would be good.  As for the SA520, if that doesn't do what we want then he has a spare ASA from another customer we could use to test.

Hi,

What I mean with the Dynamic PAT is that you probably have the SA520 already configured to do this kind of NAT/PAT to the Internet, correct? Basically every LAN host gets translated to the public IP address of the SA520 devices "outside" interface?

If that is true then simply telling in the L2L VPN configurations that your side network to be tunneled would be the "outside" public IP address of the SA520 should possibly solve your problem IF the only problem is that you need to be visible to the remote site with a public IP address. Naturally you could use a separate public IP address to achieve the same.

As I said I dont know how the SA520 device is the configure but I imagine this should be possible with it. I have done it a few times on our/customer ASAs though the more common approach is to use private networks through the L2L VPN connections

- Jouni

Yes, we do have the SA520 set up for PAT to the Internet.  As for the SA520, I will research that a little more with Cisco directly.  The good part is we do have a spare ASA5505 we could use. Would you have any reference on how to set this up for ASA?  Thanks for all your input. BTW, I couldn't agree more about the L2L, my friend  usualy sets these up but he's never heard someone using a public address on there side on the LAN.

Hi,

I guess I could quickly write up a basic configuration. Cant be sure I remember all correctly. But should be most of it.

Some of the parameters ofcourse can be different depending on what kind of L2L VPN connection parameters you have decided on.

Naturally there is also alot of basic configuration that is not mentioned below.

For example

  • Management and AAA configurations
  • DHCP for LAN
  • Logging
  • Interface "no shutdown"
  • etc

Information for below parameters

  • x.x.x.x = ASA "outside" interface public IP
  • y.y.y.y = ASA "outside" interface network mask
  • z.z.z.z = ASA "outside" default gateway IP address
  • a.a.a.a = L2L VPN remote site network address
  • b.b.b.b = L2L VPN remote site network mask
  • c.c.c.c = L2L VPN remote site VPN device public peer IP address
  • PSK = The Pre Shared Key for the L2L VPN connection

Interfaces - Default Route - Access-list

interface Vlan2

description WAN

nameif outside

security-level 0

ip add x.x.x.x y.y.y.y

route outside 0.0.0.0 0.0.0.0 z.z.z.z

interface Ethernet0

description WAN Access

switchport access vlan 2

  • All interfaces are on Vlan1 by default so their "switchport access vlan x" wont have to be configured

interface Vlan1

description LAN

nameif inside

security-level 100

ip add 10.10.1.0 255.255.255.0

access-list INSIDE-IN remark Allow all traffic from LAN

access-list INSIDE-IN permit ip 10.10.1.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

NAT and L2L VPN configuration - ASA Software 8.2 and earlier

global (outside) 1 interface

nat (inside) 1 10.10.1.0 255.255.255.0

crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

access-list L2L-VPN-CRYPTOMAP permit ip host x.x.x.x a.a.a.a b.b.b.b

crypto map WAN-CRYPTOMAP 10 match address L2L-VPN-CRYPTOMAP

crypto map WAN-CRYPTOMAP 10 set peer c.c.c.c

crypto map WAN-CRYPTOMAP 10 set transform-set AES-256

crypto map WAN-CRYPTOMAP 10 set security-association lifetime seconds 3600

crypto map WAN-CRYPTOMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

pre-shared-key PSK

NAT and L2L VPN configuration - ASA Software 8.3 and after

nat (inside,outside) after-auto source dynamic any interface

crypto ipsec ikev1 transform-set AES-256 esp-aes-256 esp-sha-hmac

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

access-list L2L-VPN-CRYPTOMAP permit ip host x.x.x.x a.a.a.a b.b.b.b

crypto map WAN-CRYPTOMAP 10 match address L2L-VPN-CRYPTOMAP

crypto map WAN-CRYPTOMAP 10 set peer c.c.c.c

crypto map WAN-CRYPTOMAP 10 set ikev1 transform-set AES-256

crypto map WAN-CRYPTOMAP 10 set security-association lifetime seconds 3600

crypto map WAN-CRYPTOMAP interface outside

crypto isakmp identity address

crypto ikev1 enable outside

tunnel-group c.c.c.c type ipsec-l2l

tunnel-group c.c.c.c ipsec-attributes

ikev1 pre-shared-key PSK

Hopefully the above information has been helpfull Please do rate if you have found it helpfull

If it comes down to configuring the connection with the ASA5505 and the above configuration doesnt cut it, dont hesitate to ask more

- Jouni