cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
5
Replies

S2S VPN (with NAT) query

mvsheik123
Level 7
Level 7

Hello experts,

ASA (8.2) with standard Site 2 Site and Internet access related configs.

Outside : 1.1.1.1/24 -> peer IP for S2S VPN.

Inside : Pvt subnets

Standard 'Nat 0' commands and crypto ACLs for our remote offices LANs with Pvt IP scheme.

Requirement:

Need to connect to external client PCs (3.3.3.3 & 4.4.4.4) over tcp/443 thru S2S vpn from our LAN.Client only accepts host with public IPs only.

I need to NAT my internal IP to public IP say 1.1.1.2 and establish VPN tunnel between 1.1.1.1 -> Client side PRi & secondary IPs (Cisco Router),

(without loosing connectivity to remote offices). Does policy NAT work here?

ex:

     My internal: 10.0.0.0/8 & 192.168.0.0/16
     Assigned available IP for NAT (while connect to ext client only) : 1.1.1.5

    External Client LAN IPs: 3.3.3.3 & 4.4.4.4

 PAT: access-list TOCLIENT extended permit ip object-group MYLAN object-group CLIENT LAN
      

         nat (inside) 5 access-list TOCLIENT

         global (outside) 5 1.1.1.5
    
 Crypto: access-list CRYPTO extended permit tcp host 1.1.1.5 object-group CLIENT LAN eq 443

  crypto map Outsidemap 1 match address CRYPTO
 
  Client will initiate peer with 1.1.1.1 IP only.

  Do I need any 'Nat 0' configs here?

 

Also, for phase 2 specs, there is not transform-set options gives. Info given was

Phase2:  AH: Disabled,  Lifetime: 3600 Sec, PFS: Disabled, Compression LZS: Disabled.
Does this works with out phase 2 options?

 

Thanks in advance

MS
 

2 Accepted Solutions

Accepted Solutions

Hi there,

 

"Existing NAT (Inside) 1 <MYLAN> & global (outside) will not interfere with NAT 5 when users try to reach ClientLAN."

Your inside nat index is "1", whereas dynamic policy-nat is index "5"

 

"For phase 2 in general, we define-  Crypto ipsec transform-set TEST <set1><set2>"

You make sure, the remote tunnel peers accept same transform set, whatever you set up with example below and remote tunnel peer set the same.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

 

"In this scenario, no need to define any <set> and just add empty transform set statement under crypto map?"

No you need a transform set.

 

"3. If we want to restrict destination port to 443 , I need to use separate VPN filters?"

That is correct, use a vpn-filter.

"4. We have multiple phase 1 configs, but wanted use AES256 & DH5 (new policy).. for s2s, these options will work fine. "

Sure you defined the phase 1, as needed.

 

thanks

Rizwan Rafeek

View solution in original post

Hi MS,

 

I think Rizwan has answered all your queries, wanted to share below VPN filter link for your reference:

 

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html 

 

Feel free to reach out in case you have any further questions.

 

Regards,

 

Tushar Bangia

 

Note: Please do rate the post if you find it helpful!!

 

View solution in original post

5 Replies 5

rizwanr74
Level 7
Level 7

hi there,

 

You are on the right path.

Use only IP instead of tcp ports in the crypto ACL.

 

access-list CRYPTO extended permit ip host 1.1.1.5 object-group CLIENT LAN 

 

Yes phase 2 will work as well, just don't defined them on the static-config, it will dynamic agrees upon proposed parameters.

You must assign a transform set for phase 2 and no need for nat exemption.

 

thanks

Rizwan Rafeek

Thank you both. So..

1.  Existing NAT (Inside) 1 <MYLAN> & global (outside) will not interfere with NAT 5 when users try to reach ClientLAN.

2. For phase 2 in general, we define-  Crypto ipsec transform-set TEST <set1><set2>

In this scenario, no need to define any <set> and just add empty transform set statement under crypto map?

3. If we want to restrict destination port to 443 , I need to use separate VPN filters? 

4. We have multiple phase 1 configs, but wanted use AES256 & DH5 (new policy).. for s2s, these options will work fine. 

Please clarify.

Thanks in advance

MS

 

Hi there,

 

"Existing NAT (Inside) 1 <MYLAN> & global (outside) will not interfere with NAT 5 when users try to reach ClientLAN."

Your inside nat index is "1", whereas dynamic policy-nat is index "5"

 

"For phase 2 in general, we define-  Crypto ipsec transform-set TEST <set1><set2>"

You make sure, the remote tunnel peers accept same transform set, whatever you set up with example below and remote tunnel peer set the same.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

 

"In this scenario, no need to define any <set> and just add empty transform set statement under crypto map?"

No you need a transform set.

 

"3. If we want to restrict destination port to 443 , I need to use separate VPN filters?"

That is correct, use a vpn-filter.

"4. We have multiple phase 1 configs, but wanted use AES256 & DH5 (new policy).. for s2s, these options will work fine. "

Sure you defined the phase 1, as needed.

 

thanks

Rizwan Rafeek

Hi MS,

 

I think Rizwan has answered all your queries, wanted to share below VPN filter link for your reference:

 

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html 

 

Feel free to reach out in case you have any further questions.

 

Regards,

 

Tushar Bangia

 

Note: Please do rate the post if you find it helpful!!

 

Tushar Bangia
Level 1
Level 1

Hi MS,

 

The configs looks good however you can remove port details from crypto ACL as recommended by Rizwan.

 

If you wish to test your configs than you can run packet-tracer to see if it hits the crypto engine and also validate your configs.

 

Regards,

 

Tushar Bangia

Note : Please do rate the post if you find it helpful!!