11-20-2013 06:59 AM
Hi Everybody.
I have question regarding the Site-2-Site VPN and NAT.
HQ is connected to Partner and Co-location through site to site VPN (with two diffrent tunnels). Co-location is connected to the HQ through site-2-site VPN.
HQ:
Co-location:
Partner:
Basically what I want to achieve is to do the following:
All traffic from co-location with destination to Partner should go through HQ and the source IP needs to be changed. So it looks like that the traffic is originates from the HQ dmz zone on the Partner side.
How can I achieve that?
HW: Cisco ASA
Solved! Go to Solution.
11-20-2013 04:42 PM
Hello Roger,
The configuration that you need will be on the HQ ASA.
First of all configure the ASA so that it would allow traffic to leave through the same interface that it came through:
same-security-traffic permit intra-interface
then you would need to create a nat that to an IP from that range (this would work if the partner doesn't need to go to the colocation, just from colo to the partner):
access-list policy-based-nat1 permit ip
nat (
global (
This is asuming that you already have an interesting traffic rule (crypto map ACL permit) from your DMZ to the colocation.
For a more specific example, see below:
Colocation network: 192.168.1.0/24
HQ DMZ Network: 10.10.10.0/24
Partner Network: 172.16.10.0/24
same-security-traffic permit intra-interface
access-list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
nat (outside) 100 access-list policy-based-nat1
global (outside) 100 10.10.10.253
access-list vpn10 permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
crypto map vpn 10 match address vpn
If the partner needs to access the colocation as well (bidirectional access) you can't use the DMZ's network as it needs to be a one to one translation and you would need the same amount of addresses to be translated as you have on the colocation.
However it would be possible if your DMZ network is larger than the colocation (like DMZ being a /16 and colo being /24) and you can segregate a subnet just for that nat.
Hope this helps resolve the issue.
11-21-2013 06:05 AM
Roger,
That looks good but you are still missing a detail:
access-list colocation_vpn extended permit ip
(obiously the colocation device must have a line that is from it's network to the partner)
I hope this helps.
11-20-2013 12:27 PM
ASA version 8.0.3
11-20-2013 04:42 PM
Hello Roger,
The configuration that you need will be on the HQ ASA.
First of all configure the ASA so that it would allow traffic to leave through the same interface that it came through:
same-security-traffic permit intra-interface
then you would need to create a nat that to an IP from that range (this would work if the partner doesn't need to go to the colocation, just from colo to the partner):
access-list policy-based-nat1 permit ip
nat (
global (
This is asuming that you already have an interesting traffic rule (crypto map ACL permit) from your DMZ to the colocation.
For a more specific example, see below:
Colocation network: 192.168.1.0/24
HQ DMZ Network: 10.10.10.0/24
Partner Network: 172.16.10.0/24
same-security-traffic permit intra-interface
access-list policy-based-nat1 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
nat (outside) 100 access-list policy-based-nat1
global (outside) 100 10.10.10.253
access-list vpn10 permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
crypto map vpn 10 match address vpn
If the partner needs to access the colocation as well (bidirectional access) you can't use the DMZ's network as it needs to be a one to one translation and you would need the same amount of addresses to be translated as you have on the colocation.
However it would be possible if your DMZ network is larger than the colocation (like DMZ being a /16 and colo being /24) and you can segregate a subnet just for that nat.
Hope this helps resolve the issue.
11-21-2013 12:59 AM
Thanks for your reply. It is very usefull!
Will this config solve this senairo.
ASA Version 8.0(3)
!
terminal width 180
hostname XXXXX
domain-name XX.local
enable password XX
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 8.8.8.8 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.191.0.5 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.191.10.5 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 10.10.10.5 255.255.255.0
management-only
!
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone GMT 0
object-group network DM_INLINE_NETWORK_2
network-object 8.8.8.8 255.255.255.0
network-object Partner network
access-list policy-based-nat1 permit ip
access-list nonat extended permit ip 10.191.0.0 255.255.255.0
access-list nonat extended permit ip 10.191.0.0 255.255.255.0
access-list partner_vpn extended permit ip 10.191.0.0 255.255.255.0
access-list partner_vpn extended permit ip 10.191.10.0 255.255.255.0
access-list colocation_vpn extended permit ip 10.191.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
no asdm history enable
same-security-traffic permit intra-interface
arp timeout 14400
global (outside) 1 interface
global (outside) 100 10.191.10.253
nat (outside) 100 access-list policy-based-nat1
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 isp router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set vpnset
crypto map vpnmap 10 match address partner_vpn
crypto map vpnmap 10 set peer partner peer
crypto map vpnmap 10 set transform-set ESP-AES-256-SHA
crypto map vpnmap interface outside
crypto map vpnmap 20 match address colocation_vpn
crypto map vpnmap 20 set peer partner peer
crypto map vpnmap 20 set transform-set ESP-AES-256-SHA
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 1000
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet timeout 5
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
pre-shared-key xxxx
tunnel-group partner peer type ipsec-l2l
tunnel-group partner peer ipsec-attributes
pre-shared-key xxxxx
tunnel-group colocation peer type ipsec-l2l
tunnel-group colocation peer ipsec-attributes
pre-shared-key xxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect dns
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXX
: end
11-21-2013 06:05 AM
Roger,
That looks good but you are still missing a detail:
access-list colocation_vpn extended permit ip
(obiously the colocation device must have a line that is from it's network to the partner)
I hope this helps.
11-28-2013 06:19 AM
Working Nice ;-) Elias thanks! Now I wanna test this with the new 8.4 NAT syntax ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide