Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4034
Views
4
Helpful
1
Replies

NAT IPSEC site-to-site VPN ASA 8.4

Go to solution
jasonww04
Level 1
Level 1

‎06-27-2011 02:55 PM - edited ‎02-21-2020 05:25 PM

My goal is to create a VPN from me (61.227.106.64) to a vendor (9.105.8.204) using an ASA 5510 with 8.4 on it. The vendor's private LANs are 10.134.115.0/24 and 10.135.115.0/24. My private LAN is 10.11.102.0/24 but I want to NAT it to 61.227.106.70.

Is the following config correct?

ASA Version 8.4(2)

interface Ethernet0/0

nameif LAN

security-level 0

ip address 10.241.1.61 255.255.255.0

!

interface Ethernet0/1

nameif WAN

security-level 0

ip address 61.227.106.64 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network CareOneTSFarm

  subnet 10.11.102.0 255.255.255.0

object network Core_NAT

host 61.227.106.70

object network NAT_to_outside

  subnet 0.0.0.0 0.0.0.0

object-group network Core_LAN

  network-object 10.134.115.0 255.255.255.0

  network-object 10.135.115.0 255.255.255.0

access-list VPNCore extended permit ip object CareOneTSFarm object-group Core_LAN

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

!

object network NAT_to_outside

nat (LAN,WAN) dynamic interface

route WAN 0.0.0.0 0.0.0.0 61.227.106.1 1

route LAN 10.11.0.0 255.255.0.0 10.241.1.1 1

crypto ipsec ikev1 transform-set AES256_SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map VPN 50 match address VPNCore

crypto map VPN 50 set peer 9.105.8.204

crypto map VPN 50 set ikev1 transform-set AES256_SHA

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto map VPN interface WAN

tunnel-group 9.105.8.204 type ipsec-l2l

tunnel-group 9.105.8.204 ipsec-attributes

  ikev1 pre-shared-key *****

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-30-2011 06:02 AM

This NAT line:

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

should be:

nat (LAN,WAN) source dynamic CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

And the VPNCore ACL should match the NATed IP instead of the real IP:

access-list VPNCore extended permit ip object Core_NAT object-group Core_LAN

View solution in original post

1 Reply 1

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-30-2011 06:02 AM

This NAT line:

nat (LAN,WAN) source static CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

should be:

nat (LAN,WAN) source dynamic CareOneTSFarm Core_NAT destination static Core_LAN Core_LAN

And the VPNCore ACL should match the NATed IP instead of the real IP:

access-list VPNCore extended permit ip object Core_NAT object-group Core_LAN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents