07-26-2012 08:13 PM
Hi all,
I've been tasked with retiring a VPN Concentrator 3000 and replacing it with an ASA 5520. I'm trying to get a handle on how to set up the NATs and ACLs, since most of my experience is remote access VPNs, not site-to-site. Plus I've not configured a VPN 3000 in about 6 years so I'm having to re-learn a lot of the interface.
The VPN 3000 has a feature called LAN-to-LAN NAT rules that basically allow you to NAT an address on your internal network to an address on the "local" network for the LAN-to-LAN connection so it can then go through the tunnel to the remote side. The config looks something like this in the VPN 3000:
Source Network Translated Network Remote Network
172.16.3.151 192.168.200.151 10.3.136.0
Which looks to me like a "Static Policy NAT" in ASDM. So I set one of those up, that should be translating 172.16.3.151 on the inside interface to 192.168.200.151 on the inside interface (yes, the same interface) which should then (logically) be picked up as "interesting traffic" by the crypto-map and sent across the VPN tunnel. However, that doesn't seem to be the case - both the "packet trace" in the ASDM and traceroute from the source workstation show the packets getting to the inside interface, and then passed right out the outside interface to the internet router (which then drops the packets as they're a private IP).
I'm sure I've missed something fundamental...what else do I need to do to make the crypto-map pick up the NATted traffic?
Solved! Go to Solution.
07-27-2012 09:39 PM
Hi Greg Dickinson,
This is the scenario. You may have multiple object groups in your scenario can be done.
Your original LAN IP to the Site -B LAN IP permit acl should be used for NAT/PAT.
!
access-list NAT_ACLpermit ip 172.16.3.0 255.255.255.0 10.3.136.0 255.255.255.0
static (inside,outside) 192.168.200.0 255.255.255.0 access-list NAT_ACL
!
access-list CryptoACL permit ip 192.168.200.0 255.255.255.0 10.3.136.0 255.255.255.0
!
crypto map outside_map 1 match address CryptoACL
Your NAT/PAT IP to LAN IP subnet/IP's @ Site B will be the Cryptoacl for VPN.
So whenever you hit a traffic for site to site from you LAN it will hit the NAT/PAT and get translated.
Then your crypto acl will be with your PAT IP and it should in sync with the Site B.
Please do rate for the helpful posts.
By
Karthik
07-26-2012 09:47 PM
Hi Greg,
Please attach the running-configuration of your FW.
Thanks in advance.
Portu
07-27-2012 06:19 AM
Here's an (anonymized) coy of the running config. The test tunnel I have set up is between me and the fake IP 12.13.14.66. My PC is 172.16.3.151, which should be NATted to 192.168.168.168 and sent across the tunnel. I know the tunnel is up.
: Saved
: Written by greg.dickinson at 07:59:31.060 CDT Fri Jul 27 2012
!
ASA Version 8.2(5)13
!
hostname DCP-5520-01
domain-name westchester.il.revcs.com
enable password [snipped] encrypted
passwd [snipped] encrypted
names
name 1.2.3.189 RAPP2 description RemoteApp TS Gateway
name 10.199.1.191 Int_RAPP description RemoteApp Employee Server
name 10.199.1.192 Int_RAPP2 description RemoteApp Client Server
dns-guard
!
interface GigabitEthernet0/0
description **Telx Level 3 Outside Interface**
nameif outside
security-level 0
ip address 1.2.3.190 255.255.255.192
ospf cost 10
!
interface GigabitEthernet0/1
description **Data Center Inside Interface**
speed 100
duplex full
nameif inside
security-level 100
ip address 10.199.7.250 255.255.248.0
ospf cost 10
!
interface GigabitEthernet0/2
description **Data Center DMZ Interface**
nameif dmz
security-level 50
ip address 10.199.8.250 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description **Data Center 5520 Mgmt Interface**
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
management-only
!
banner exec $(hostname).$(domain)
banner exec Access is monitored and logged
banner asdm RCS Data Center - $(hostname)
banner asdm Access is monitored and logged
boot system disk0:/asa825-13-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group CSI
name-server 172.16.2.251
domain-name cashretriever.com
dns server-group DefaultDNS
name-server 10.199.1.251
name-server 10.199.3.251
domain-name westchester.il.revcs.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network RemoteApp_Access
description RemoteApp Server RAPP2 accesses
network-object host RAPP2
object-group service TS_Gateway tcp
description RemoteApp TS Gateway access
port-object eq https
port-object eq ssh
port-object eq 3389
object-group network Livevox_Local
description LiveVox local addresses
network-object host 70.36.21.160
network-object host 70.36.21.170
object-group network Livevox_Remote
description LiveVox Remote Addresses
network-object 204.115.206.0 255.255.255.0
network-object host 8.14.80.30
network-object host 8.14.80.32
network-object host 8.14.80.33
network-object host 8.14.80.37
network-object host 8.14.80.39
network-object host 8.14.80.54
network-object host 8.14.80.62
object-group network HCH_Local
network-object 192.168.249.0 255.255.255.0
object-group network HCH_Remote
network-object 128.1.0.0 255.255.0.0
network-object 172.16.46.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group HCH_Local object-group HCH_Remote
access-list inside_nat0_outbound extended permit ip object-group HCH_Local object-group HCH_Remote
access-list inside_nat0_outbound extended permit ip host 192.168.168.168 10.10.0.0 255.255.0.0
access-list RCSAdmin_splitTunnelAcl standard permit 10.199.0.0 255.255.248.0
access-list RCSAdmin_splitTunnelAcl standard permit 172.16.0.0 255.255.255.248
access-list RCSAdmin_splitTunnelAcl standard permit 192.168.167.0 255.255.255.0
access-list RCS_RA_VPN_splitTunnelAcl remark Chicago PC Network
access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.167.0 255.255.255.0
access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.165.0 255.255.255.0
access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list RCS_RA_VPN_splitTunnelAcl standard permit 192.168.5.0 255.255.255.252
access-list RCS_RA_VPN_splitTunnelAcl remark Birmingham Subnet
access-list RCS_RA_VPN_splitTunnelAcl standard permit 172.16.0.0 255.255.255.248
access-list RCS_RA_VPN_splitTunnelAcl remark Point-to-Point Interfaces
access-list RCS_RA_VPN_splitTunnelAcl standard permit 10.255.255.0 255.255.255.240
access-list RCS_RA_VPN_splitTunnelAcl remark Data Center Subnet
access-list RCS_RA_VPN_splitTunnelAcl standard permit 10.199.0.0 255.255.240.0
access-list outside_2_cryptomap extended permit ip host 192.168.168.168 10.10.0.0 255.255.0.0
access-list RCS_RA_splitClient standard permit host Int_RAPP
access-list RCS_RA_splitClient standard permit host Int_RAPP2
access-list inside_nat_static extended permit ip host 172.16.3.151 10.10.0.0 255.255.0.0
access-list ACL_Remote_APP webtype permit url rdp://10.199.1.191 log default
access-list ACL_Remote_APP webtype permit url
log default
pager lines 24
logging enable
logging monitor informational
logging buffered informational
logging asdm informational
logging from-address
logging recipient-address
level errors
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool RCS_AnyConnect_Pool 10.199.2.232-10.199.2.250 mask 255.255.255.255
ip local pool DMZ_AnyConnect 10.199.8.50-10.199.8.75
no failover
no monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-647.bin
asdm location Int_RAPP 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) RAPP2 Int_RAPP2 netmask 255.255.255.255
static (inside,inside) 192.168.168.168 access-list inside_nat_static
route outside 0.0.0.0 0.0.0.0 1.2.3.129 1
route inside 10.255.255.0 255.255.255.0 10.199.7.1 1
route inside 172.16.0.0 255.255.248.0 10.199.7.1 1
route inside 192.168.167.0 255.255.255.0 10.199.7.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (inside) host 10.199.1.251
nt-auth-domain-controller RCS-DC-01
aaa-server AD (inside) host 10.199.3.251
nt-auth-domain-controller CHI-DC-01
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.199.1.251
key [snipped]
authentication-port 1812
accounting-port 1813
acl-netmask-convert auto-detect
aaa-server RADIUS (inside) host 172.16.2.251
key [snipped]
authentication-port 1812
accounting-port 1813
aaa-server AD2003 protocol ldap
aaa-server AD2003 (inside) host 10.199.1.251
ldap-base-dn [snipped]
server-type microsoft
aaa-server AD2003 (inside) host 192.168.167.251
ldap-base-dn [snipped]
server-type microsoft
aaa-server AD2008 protocol ldap
aaa-server AD2008 (inside) host 10.199.1.251
server-type microsoft
aaa authentication enable console AD LOCAL
aaa authentication http console AD LOCAL
aaa authentication ssh console AD LOCAL
aaa authentication secure-http-client
aaa authentication listener https outside port https
http server enable
http 172.16.0.0 255.255.248.0 inside
http 10.199.0.0 255.255.248.0 inside
http 192.168.1.0 255.255.255.0 management
http redirect outside 80
snmp-server host inside 10.199.1.199 community revcs-161V version 2c
snmp-server location Data Center
snmp-server contact
snmp-server community revcs-161D
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 5.6.7.225
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 12.13.14.66
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=DCP-5520-01,O=Revenue Cycle Solutions
serial-number
proxy-ldc-issuer
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca server
shutdown
database path disk0:/
smtp from-address
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [snipped]
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate [snipped]
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca [snipped]
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 25
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 35
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 45
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 55
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 75
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 172.16.0.0 255.255.248.0 inside
ssh 10.199.0.0 255.255.248.0 inside
ssh 192.168.167.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 15
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.126.24.24
ntp server 10.199.7.1 source inside prefer
ntp server 130.126.24.53 source dmz
ntp server 130.126.24.44
tftp-server inside 10.199.1.199 Configs/
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-3.0.5075-k9.pkg 1
svc profiles RCSAdmin_AnyConnect_Profile disk0:/rcsadmin_anyconnect_profile.xml
svc profiles RCSClient_AnyConnect_Profile disk0:/rcsclient_anyconnect_profile.xml
svc enable
port-forward Client_RAPP_Server 2080 10.199.1.192 https RAPP2 TS Web Access Server Page
port-forward RCS_RAPP_Server 2081 10.199.1.191 https RCS Employee RemoteApp Server Access
tunnel-group-list enable
group-policy RCSAdmin internal
group-policy RCSAdmin attributes
wins-server none
dns-server value 10.199.1.251 10.199.3.251
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RCS_RA_VPN_splitTunnelAcl
default-domain value westchester.il.revcs.com
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
address-pools value RCS_AnyConnect_Pool
client-firewall none
client-access-rule none
webvpn
homepage none
svc dtls enable
svc mtu 1406
svc keep-installer installed
svc keepalive 20
svc dpd-interval client 30
svc dpd-interval gateway 30
svc compression none
svc modules value dart
svc profiles value RCSAdmin_AnyConnect_Profile
svc ask enable default svc timeout 15
customization value DfltCustomization
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
svc df-bit-ignore disable
group-policy DfltGrpPolicy attributes
dns-server value 10.199.1.251 10.199.3.251
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RCS_RA_splitClient
default-domain value westchester.il.revcs.com
split-dns value westchester.il.revcs.com revcs.com cashretriever.com
address-pools value RCS_AnyConnect_Pool
webvpn
svc profiles value RCSClient_AnyConnect_Profile
svc ask none default svc
group-policy LiveVox_VPN internal
group-policy LiveVox_VPN attributes
vpn-tunnel-protocol IPSec
group-policy HCH_L2L_VPN internal
group-policy HCH_L2L_VPN attributes
vpn-tunnel-protocol l2tp-ipsec
username admin password [snipped] encrypted privilege 15
username support password [snipped] encrypted privilege 15
username gilbert.martin password [snipped] encrypted privilege 15
username will.banister password [snipped] encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool (dmz) DMZ_AnyConnect
address-pool RCS_AnyConnect_Pool
authentication-server-group AD LOCAL
authentication-server-group (dmz) AD
accounting-server-group RADIUS
password-management password-expire-in-days 5
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group AD LOCAL
tunnel-group 5.6.7.225 type ipsec-l2l
tunnel-group 5.6.7.225 general-attributes
default-group-policy HCH_L2L_VPN
tunnel-group 5.6.7.225 ipsec-attributes
pre-shared-key [snipped]
tunnel-group 8.9.10.125 type ipsec-l2l
tunnel-group 8.9.10.125 ipsec-attributes
pre-shared-key [snipped]
tunnel-group RCS-AnyConnect type remote-access
tunnel-group RCS-AnyConnect general-attributes
address-pool (inside) RCS_AnyConnect_Pool
address-pool RCS_AnyConnect_Pool
authentication-server-group AD LOCAL
authentication-server-group (inside) AD
accounting-server-group RADIUS
default-group-policy RCSAdmin
password-management password-expire-in-days 5
tunnel-group RCS-AnyConnect webvpn-attributes
group-alias RCS_AnyConnect enable
tunnel-group 12.13.14.66 type ipsec-l2l
tunnel-group 12.13.14.66 ipsec-attributes
pre-shared-key [snipped]
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
smtp-server 10.199.8.188
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8ddd612ce980d489fb8b4690a9a847c2
: end
07-27-2012 08:54 AM
Hi Greg,
Yes. You can get that done but you need to do nat for the crypto acl simply. but the crypto acl from the other end should get pointed to the nat ip address of yours. I will be posting you an example in next post
Please do rate for the helpful posts.
By
Karthik
07-27-2012 09:12 AM
Hi,
access-list vpnout extended permit ip object-group localnet_sn object-group ETNW (ACL for PAT)
access-list vpnpat extended permit ip object-group S2S_PAT object-group ETNW (ACL for VPN crypto)
!
global (outside) 5 10.98.203.112-10.98.203.125 netmask 255.255.255.240
nat (inside) 5 access-list vpnout
!
crypto map site2 10 match address vpnpat
!
Please do rate for the helpful posts.
By
Karthik
07-27-2012 09:27 AM
Thanks Karthik... I guess the only questions I have are what do the various object-groups represent?
Localnet_sn, S2S_PAT, and ETNW?
07-27-2012 09:39 PM
Hi Greg Dickinson,
This is the scenario. You may have multiple object groups in your scenario can be done.
Your original LAN IP to the Site -B LAN IP permit acl should be used for NAT/PAT.
!
access-list NAT_ACLpermit ip 172.16.3.0 255.255.255.0 10.3.136.0 255.255.255.0
static (inside,outside) 192.168.200.0 255.255.255.0 access-list NAT_ACL
!
access-list CryptoACL permit ip 192.168.200.0 255.255.255.0 10.3.136.0 255.255.255.0
!
crypto map outside_map 1 match address CryptoACL
Your NAT/PAT IP to LAN IP subnet/IP's @ Site B will be the Cryptoacl for VPN.
So whenever you hit a traffic for site to site from you LAN it will hit the NAT/PAT and get translated.
Then your crypto acl will be with your PAT IP and it should in sync with the Site B.
Please do rate for the helpful posts.
By
Karthik
07-28-2012 09:56 AM
That's the missing link. Thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide