NATing traffic over IPSEC

benford01 · ‎11-04-2015

Hi

I have an issue where we are creating a VPN to a different site where the subnets overlap. I am not in control of the other site so I cannot make any changes at their end so I have to assume everything is configured correctly.

I have set up the VPN with 192.168.2.0/24 as the local network and the remote network is set up as 10.20.0.0/24. I need to NAT the traffic on the way out of this network to a 10.10.0.0/24 address. When i set up the NAT rule the traffic doesn’t try go through the VPN according to packet tracer. If i do a NAT exempt rule and run packet tracer i can see the traffic go into the tunnel. So I’m wondering for this to work how i want would i need to have the local network set up as 10.10.0.0/24 in the VPN configuration?

I have included a diagram for reference

ASA 8.2(5)

Thanks

Ben

Jon Marshall · ‎11-04-2015

Ben

Your crypto map acl must reference the 10.20.x.x IPs and not the real IPs.

And the other end needs to reference the same IPs.

Jon

benford01 · ‎11-05-2015

Thanks Jon, i have this in place and when i do a packet trace it doesnt event make it to the tunnel.

I have a Dynamic NAT Policy set up like this.

Source 192.168.2.0/24

Destination 10.20.0.0/24

Interface Inside

Translated address 10.10.0.0/24

I think that this may cause the issue but its the first time i have tried to set up anything like this on a cisco firewall.

Any help it much appriciated.

Thanks

Jon Marshall · ‎11-05-2015

Can you post your configuration ?

Jon

benford01 · ‎11-05-2015

ASA Version 8.2(Running)

!

name 10.10.0.0/24 alan_
!

interface Vlan2
description alan office 56
nameif alan
security-level 90
ip address 192.168.2.10 255.255.255.0

!

object-group network REMOTE_SUBNETS
description Subnets
network-object 10.20.0.0 255.255.255.0
!

access-list alan_nat0_outbound_1 extended permit ip 192.168.2.0 255.255.255.0 object-group REMOTE_SUBNETS

!

access-list external_fixed_6_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group REMOTE_SUBNETS

!

global (alan) 3 10.10.0.1-10.10.0.255 netmask 255.255.255.0

!

crypto map outside_map 6 match address external_fixed_6_cryptomap
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer
crypto map outside_map 6 set transform-set ESP-AES-256-SHA

!

This is pretty much everything to do with the IPSEC connection.

Jon Marshall · ‎11-05-2015

Your crypto map acl is still referencing 192.168.2.0/24.

It should be referencing 10.10.0.0/24.

Note also with a dynamic NAT only you will be able to initiate the connection ie. the remote end cannot start the connection.

This may or may not be what you want.

Jon

benford01 · ‎11-22-2015

I finally found the issue to this.

I had to terminate the VPN on the outside interface and have the remote network set up to use the ALAN object. Then i had to change the NAT rule to NAT the traffic from the inside interface to the outside interface with the source changed to ALAN object.

Thanks for the advice though. Reading through Cisco document i dont think i should have had to do it like this but i found this is the only way i could get it to work.

Ben

Jon Marshall · ‎11-05-2015

Your nat statement is also missing ie. it should be -

nat (inside) 3 access-list Barrachd_nat0_outbound_1

although you may want to rename your acl because you are not doing a NAT exemption for this traffic, you actually want to NAT the source IPs.

Jon