Solved: Hi MS, I think Rizwan has

mvsheik123 · ‎03-09-2015

Hello experts,

ASA (8.2) with standard Site 2 Site and Internet access related configs.

Outside : 1.1.1.1/24 -> peer IP for S2S VPN.

Inside : Pvt subnets

Standard 'Nat 0' commands and crypto ACLs for our remote offices LANs with Pvt IP scheme.

Requirement:

Need to connect to external client PCs (3.3.3.3 & 4.4.4.4) over tcp/443 thru S2S vpn from our LAN.Client only accepts host with public IPs only.

I need to NAT my internal IP to public IP say 1.1.1.2 and establish VPN tunnel between 1.1.1.1 -> Client side PRi & secondary IPs (Cisco Router),

(without loosing connectivity to remote offices). Does policy NAT work here?

ex:

My internal: 10.0.0.0/8 & 192.168.0.0/16
Assigned available IP for NAT (while connect to ext client only) : 1.1.1.5

External Client LAN IPs: 3.3.3.3 & 4.4.4.4

PAT: access-list TOCLIENT extended permit ip object-group MYLAN object-group CLIENT LAN

nat (inside) 5 access-list TOCLIENT

global (outside) 5 1.1.1.5

Crypto: access-list CRYPTO extended permit tcp host 1.1.1.5 object-group CLIENT LAN eq 443

crypto map Outsidemap 1 match address CRYPTO

Client will initiate peer with 1.1.1.1 IP only.

Do I need any 'Nat 0' configs here?

Also, for phase 2 specs, there is not transform-set options gives. Info given was

Phase2: AH: Disabled, Lifetime: 3600 Sec, PFS: Disabled, Compression LZS: Disabled.
Does this works with out phase 2 options?

Thanks in advance

MS

rizwanr74 · ‎03-10-2015

Hi there,

"Existing NAT (Inside) 1 <MYLAN> & global (outside) will not interfere with NAT 5 when users try to reach ClientLAN."

Your inside nat index is "1", whereas dynamic policy-nat is index "5"

"For phase 2 in general, we define- Crypto ipsec transform-set TEST <set1><set2>"

You make sure, the remote tunnel peers accept same transform set, whatever you set up with example below and remote tunnel peer set the same.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

"In this scenario, no need to define any <set> and just add empty transform set statement under crypto map?"

No you need a transform set.

"3. If we want to restrict destination port to 443 , I need to use separate VPN filters?"

That is correct, use a vpn-filter.

"4. We have multiple phase 1 configs, but wanted use AES256 & DH5 (new policy).. for s2s, these options will work fine. "

Sure you defined the phase 1, as needed.

thanks

Rizwan Rafeek

View solution in original post

Tushar Bangia · ‎03-10-2015

Hi MS,

I think Rizwan has answered all your queries, wanted to share below VPN filter link for your reference:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Feel free to reach out in case you have any further questions.

Regards,

Tushar Bangia

Note: Please do rate the post if you find it helpful!!

View solution in original post

rizwanr74 · ‎03-09-2015

hi there,

You are on the right path.

Use only IP instead of tcp ports in the crypto ACL.

access-list CRYPTO extended permit ip host 1.1.1.5 object-group CLIENT LAN

Yes phase 2 will work as well, just don't defined them on the static-config, it will dynamic agrees upon proposed parameters.

You must assign a transform set for phase 2 and no need for nat exemption.

thanks

Rizwan Rafeek

mvsheik123 · ‎03-10-2015

Thank you both. So..

1. Existing NAT (Inside) 1 <MYLAN> & global (outside) will not interfere with NAT 5 when users try to reach ClientLAN.

2. For phase 2 in general, we define- Crypto ipsec transform-set TEST <set1><set2>

In this scenario, no need to define any <set> and just add empty transform set statement under crypto map?

3. If we want to restrict destination port to 443 , I need to use separate VPN filters?

4. We have multiple phase 1 configs, but wanted use AES256 & DH5 (new policy).. for s2s, these options will work fine.

Please clarify.

Thanks in advance

MS

rizwanr74 · ‎03-10-2015

Hi there,

"Existing NAT (Inside) 1 <MYLAN> & global (outside) will not interfere with NAT 5 when users try to reach ClientLAN."

Your inside nat index is "1", whereas dynamic policy-nat is index "5"

"For phase 2 in general, we define- Crypto ipsec transform-set TEST <set1><set2>"

You make sure, the remote tunnel peers accept same transform set, whatever you set up with example below and remote tunnel peer set the same.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

"In this scenario, no need to define any <set> and just add empty transform set statement under crypto map?"

No you need a transform set.

"3. If we want to restrict destination port to 443 , I need to use separate VPN filters?"

That is correct, use a vpn-filter.

"4. We have multiple phase 1 configs, but wanted use AES256 & DH5 (new policy).. for s2s, these options will work fine. "

Sure you defined the phase 1, as needed.

thanks

Rizwan Rafeek

Tushar Bangia · ‎03-10-2015

Hi MS,

I think Rizwan has answered all your queries, wanted to share below VPN filter link for your reference:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Feel free to reach out in case you have any further questions.

Regards,

Tushar Bangia

Note: Please do rate the post if you find it helpful!!

Tushar Bangia · ‎03-09-2015

Hi MS,

The configs looks good however you can remove port details from crypto ACL as recommended by Rizwan.

If you wish to test your configs than you can run packet-tracer to see if it hits the crypto engine and also validate your configs.

Regards,

Tushar Bangia

Note : Please do rate the post if you find it helpful!!

S2S VPN (with NAT) query