cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1550
Views
0
Helpful
5
Replies

Site-2-Site VPN and NAT

Roger Base
Level 1
Level 1

Hi Everybody.

I have question regarding the Site-2-Site VPN and NAT.

HQ  is connected to Partner and Co-location through site to site VPN (with  two diffrent tunnels). Co-location is connected to the HQ through  site-2-site VPN.

HQ:
Co-location:
Partner:

Basically what I want to achieve is to do the following:

All  traffic from co-location with destination to Partner should go through  HQ and the source IP needs to be changed. So it looks like that the  traffic is originates from the HQ dmz zone on the Partner side.

How can I achieve that?

HW: Cisco ASA

2 Accepted Solutions

Accepted Solutions

elialope
Level 1
Level 1

Hello Roger,

The configuration that you need will be on the HQ ASA.

First of all configure the ASA so that it would allow traffic to leave through the same interface that it came through:

same-security-traffic permit intra-interface

then you would need to create a nat that to an IP from that range (this would work if the partner doesn't need to go to the colocation, just from colo to the partner):

access-list policy-based-nat1 permit ip

nat ()   access-list policy-based-nat1

global ()

This is asuming that you already have an interesting traffic rule (crypto map ACL permit) from your DMZ to the colocation.

For a more specific example, see below:

Colocation network: 192.168.1.0/24

HQ DMZ Network: 10.10.10.0/24

Partner Network: 172.16.10.0/24

same-security-traffic permit intra-interface

access-list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

nat (outside) 100  access-list policy-based-nat1

global (outside) 100 10.10.10.253

access-list vpn10 permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0

crypto map vpn 10 match address vpn

If the partner needs to access the colocation as well (bidirectional access) you can't use the DMZ's network as it needs to be a one to one translation and you would need the same amount of addresses to be translated as you have on the colocation.

However it would be possible if your DMZ network is larger than the colocation (like DMZ being a /16 and colo being /24) and you can segregate a subnet just for that nat.

Hope this helps resolve the issue.

View solution in original post

Roger,

That looks good but you are still missing a detail:

access-list colocation_vpn extended permit ip

(obiously the colocation device must have a line that is from it's network to the partner)

I hope this helps.


View solution in original post

5 Replies 5

Roger Base
Level 1
Level 1

ASA version 8.0.3

elialope
Level 1
Level 1

Hello Roger,

The configuration that you need will be on the HQ ASA.

First of all configure the ASA so that it would allow traffic to leave through the same interface that it came through:

same-security-traffic permit intra-interface

then you would need to create a nat that to an IP from that range (this would work if the partner doesn't need to go to the colocation, just from colo to the partner):

access-list policy-based-nat1 permit ip

nat ()   access-list policy-based-nat1

global ()

This is asuming that you already have an interesting traffic rule (crypto map ACL permit) from your DMZ to the colocation.

For a more specific example, see below:

Colocation network: 192.168.1.0/24

HQ DMZ Network: 10.10.10.0/24

Partner Network: 172.16.10.0/24

same-security-traffic permit intra-interface

access-list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0

nat (outside) 100  access-list policy-based-nat1

global (outside) 100 10.10.10.253

access-list vpn10 permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0

crypto map vpn 10 match address vpn

If the partner needs to access the colocation as well (bidirectional access) you can't use the DMZ's network as it needs to be a one to one translation and you would need the same amount of addresses to be translated as you have on the colocation.

However it would be possible if your DMZ network is larger than the colocation (like DMZ being a /16 and colo being /24) and you can segregate a subnet just for that nat.

Hope this helps resolve the issue.

Thanks for your reply. It is very usefull!

Will this config solve this senairo.

ASA Version 8.0(3)

!

terminal width 180

hostname XXXXX

domain-name XX.local

enable password XX

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 8.8.8.8 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.191.0.5 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.191.10.5 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 10.10.10.5 255.255.255.0

management-only

!

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone GMT 0

object-group network DM_INLINE_NETWORK_2

network-object 8.8.8.8 255.255.255.0

network-object Partner network

access-list policy-based-nat1 permit ip

access-list nonat extended permit ip 10.191.0.0 255.255.255.0

access-list nonat extended permit ip 10.191.0.0 255.255.255.0

access-list partner_vpn extended permit ip 10.191.0.0 255.255.255.0

access-list partner_vpn extended permit ip 10.191.10.0 255.255.255.0

access-list colocation_vpn extended permit ip 10.191.0.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu management 1500

no asdm history enable

same-security-traffic permit intra-interface

arp timeout 14400

global (outside) 1 interface

global (outside) 100 10.191.10.253

nat (outside) 100 access-list policy-based-nat1

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 isp router 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set vpnset

crypto map vpnmap 10 match address partner_vpn

crypto map vpnmap 10 set peer partner peer

crypto map vpnmap 10 set transform-set ESP-AES-256-SHA

crypto map vpnmap interface outside

crypto map vpnmap 20 match address colocation_vpn

crypto map vpnmap 20 set peer partner peer

crypto map vpnmap 20 set transform-set ESP-AES-256-SHA

crypto map vpnmap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 1000

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 10

telnet timeout 5

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

pre-shared-key xxxx

tunnel-group partner peer type ipsec-l2l

tunnel-group partner peer ipsec-attributes

pre-shared-key xxxxx

tunnel-group colocation peer type ipsec-l2l

tunnel-group colocation peer ipsec-attributes

pre-shared-key xxxxx

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

  inspect icmp error

  inspect dns

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:XXXXXX

: end

Roger,

That looks good but you are still missing a detail:

access-list colocation_vpn extended permit ip

(obiously the colocation device must have a line that is from it's network to the partner)

I hope this helps.


Working Nice ;-) Elias thanks! Now I wanna test this with the new 8.4 NAT syntax ;-)