Hi,

I have tried doing this on the ASA v8.4, however it doesn't seem to work. Are you able to help me translate this scenario to the new way of NAT'ing?

Ash

Hi Ashley,

Using the networks from the previous example, this 8.3+ configuration should work for you:

object-group network LOCAL_NETWORK

network-object 192.168.1.0 255.255.255.0

object-group network REMOTE_NETWORK

network-object 192.168.3.0 255.255.255.0

object-group network NAT_NETWORK

network-object 172.16.1.0 255.255.255.0

static (inside,outside) source static LOCAL_NETWORK NAT_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK

In the example above, there are actually two NAT's occurring - a source NAT and a destination NAT. We are simply performing an identity NAT on the destination (REMOTE_NETWORK), since that doesn't need to change.

8.3+ offers more flexibility with NAT, to the point where you could even perform source/destination NAT in the same statement within a hub-and-spoke VPN configuration.

Hope that helps. Let me know if you have any other questions.

James

Hi,

Thanks for the reply. I tried those NAT statements and the tunnel would not come up. I don't have the configs with me, but will post them tonight.

You mean the same segment on a public site? On interfaces facing ASA?

If you have separate tunnel groups for each pix on the ASA properly configured, i don't think it matters wether they (pixes) on one subned or different.

Hi Ashley,

In the example I posted, your encryption domain would need to look like this on the local 8.4 firewall performing Policy NAT:

access-list LOCAL_ENC_DOM extended permit ip object-group NAT_NETWORK object-group REMOTE_NETWORK

or written out:

access-list LOCAL_ ENC_DOMAIN extended permit ip 172.16.1.0 255.255.255.0 192.168.3.0 255.255.255.0

The *remote* side would use the NAT'd network in its encryption domain as well:

access-list REMOTE_ENC_DOMAIN extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0

If you post your configs I'd be happy to take a look.

James

Configs attached. From what I can see in your example above, I have done the ACLs wrong

Hi Ashley - I'm unable to see the attached configs. You're welcome to copy/paste as well.

James

Site1:

Site1

ASA Version 8.4(2)

!

hostname site1-fw1

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network INTERNAL

subnet 192.168.1.0 255.255.255.0

object network VPN-NAT

subnet 192.168.101.0 255.255.255.0

object network REMOTE-SITE

subnet 192.168.102.0 255.255.255.0

access-list OUTSIDE_IN extended permit icmp any any echo-reply

access-list OUTSIDE_IN extended permit icmp any any unreachable

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

access-list STATIC-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0

access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static INTERNAL VPN-NAT destination static REMOTE-SITE REMOTE-SITE

!

object network INTERNAL

nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

sysopt noproxyarp inside

crypto ipsec ikev1 transform-set ESP_AES esp-aes esp-sha-hmac

crypto map VPNMAP 1 match address CRYPTO_ACL

crypto map VPNMAP 1 set pfs group5

crypto map VPNMAP 1 set peer x.x.x.x

crypto map VPNMAP 1 set ikev1 transform-set ESP_AES

crypto map VPNMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

Site2

ASA Version 8.4(2)

!

hostname site2-fw1

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network INTERNAL

subnet 192.168.1.0 255.255.255.0

object network VPN-NAT

subnet 192.168.102.0 255.255.255.0

object network REMOTE-SITE

subnet 192.168.101.0 255.255.255.0

access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE

access-list OUTSIDE_IN extended permit icmp any any echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static INTERNAL VPN-NAT destination static REMOTE-SITE REMOTE-SITE

!

object network INTERNAL

nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

crypto ipsec ikev1 transform-set ESP_AES esp-aes esp-sha-hmac

crypto map VPNMAP 1 match address CRYPTO_ACL

crypto map VPNMAP 1 set pfs group5

crypto map VPNMAP 1 set peer 81.137.191.105

crypto map VPNMAP 1 set ikev1 transform-set ESP_AES

crypto map VPNMAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

Thanks for helping out

Hi Ashley -

Your nat config looks OK at a quick glance. I incorrectly used the 'static' keyword in my example, but you corrected it by using 'nat' instead.

The problem you're likely experiencing is that your encryption domains are now wrong. The nat will happen prior to the crypto match, so you'll want to edit the following ACLs:

FW1/FW2:

-before-

access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE

-after-

access-list CRYPTO_ACL extended permit ip object VPN-NAT object REMOTE-SITE

Give that a shot and let me know if you continue to have problems.

James

BTW - Your attachments *did* show up, but against an earlier post, so I didn't see them! Thanks for the copy/paste.

Yep tried that and still not getting the tunnels up.

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static INTERNAL VPN-NAT   destination static REMOTE-SITE REMOTE-SITE

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic INTERNAL interface

    translate_hits = 0, untranslate_hits = 0

NAT output and ISAKMP status below:

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: x.x.x.x

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2