06-27-2011 02:55 PM - edited 02-21-2020 05:25 PM
My goal is to create a VPN from me (61.227.106.64) to a vendor (9.105.8.204) using an ASA 5510 with 8.4 on it. The vendor's private LANs are 10.134.115.0/24 and 10.135.115.0/24. My private LAN is 10.11.102.0/24 but I want to NAT it to 61.227.106.70.
Is the following config correct?
ASA Version 8.4(2)
interface Ethernet0/0
nameif LAN
security-level 0
ip address 10.241.1.61 255.255.255.0
!
interface Ethernet0/1
nameif WAN
security-level 0
ip address 61.227.106.64 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CareOneTSFarm
subnet 10.11.102.0 255.255.255.0
object network Core_NAT
host 61.227.106.70
object network NAT_to_outside
subnet 0.0.0.0 0.0.0.0
object-group network Core_LAN
network-object 10.134.115.0 255.255.255.0
network-object 10.135.115.0 255.255.255.0
access-list VPNCore extended permit ip object CareOneTSFarm object-group Core_LAN
nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN
!
object network NAT_to_outside
nat (LAN,WAN) dynamic interface
route WAN 0.0.0.0 0.0.0.0 61.227.106.1 1
route LAN 10.11.0.0 255.255.0.0 10.241.1.1 1
crypto ipsec ikev1 transform-set AES256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map VPN 50 match address VPNCore
crypto map VPN 50 set peer 9.105.8.204
crypto map VPN 50 set ikev1 transform-set AES256_SHA
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto map VPN interface WAN
tunnel-group 9.105.8.204 type ipsec-l2l
tunnel-group 9.105.8.204 ipsec-attributes
ikev1 pre-shared-key *****
Solved! Go to Solution.
06-30-2011 06:02 AM
This NAT line:
nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN
should be:
nat (LAN,WAN) source dynamic CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN
And the VPNCore ACL should match the NATed IP instead of the real IP:
access-list VPNCore extended permit ip object Core_NAT object-group Core_LAN
06-30-2011 06:02 AM
This NAT line:
nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN
should be:
nat (LAN,WAN) source dynamic CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN
And the VPNCore ACL should match the NATed IP instead of the real IP:
access-list VPNCore extended permit ip object Core_NAT object-group Core_LAN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide