Solved: site to site vpn PAT

Network Pro · ‎07-27-2016

Hi

i am forming a site to site vpn

Site A Site B

192.168.1.0/24 100.100.100.100/24

Site A Site B

192.168.1.0/24 -> 10.1.0.1 (PAT) -> 100.100.100.100/24

how do i establish the above in lan 2 lan tunnel with interesting traffic

Thanks

Cristian Nilsson · ‎08-03-2016

Hello, untested code but i hope this could work:

SITE-A:

object network LOCAL-NET-192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0

object network REMOTE-NET-100.100.100.0_24
 subnet 100.100.100.0 255.255.255.0

object network VPN-PAT-IP-10.1.0.1
 host 10.1.0.1

nat (INSIDE,OUTSIDE) source dynamic LOCAL-NET-192.168.1.0_24 VPN-PAT-IP-10.1.0.1 destination static REMOTE-NET-100.100.100.0_24 REMOTE-NET-100.100.100.0_24

access-list CRYPTO-ACL extended permit ip object VPN-PAT-IP-10.1.0.1 object REMOTE-NET-100.100.100.0_24

SITE-B:

object network LOCAL-NET-100.100.100.0_24
 subnet 100.100.100.0 255.255.255.0

object network REMOTE-NET-10.1.0.1_32
 host 10.1.0.1

object network REMOTE-NET-192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static LOCAL-NET-100.100.100.0_24 LOCAL-NET-100.100.100.0_24 destination static REMOTE-NET-192.168.1.0_24 REMOTE-NET-10.1.0.1_32

access-list CRYPTO-ACL extended permit ip object LOCAL-NET-100.100.100.0_24 object REMOTE-NET-10.1.0.1_32

//Cristian

View solution in original post

Network Pro · ‎07-27-2016

any ideas please?

Dina Odeh · ‎07-28-2016

Hi,

In the crypto MAP ACL, you should put the NATTED IP. So on Site A ASA put the 10.1.0.1

and ACL will look like:

permit ip h 10.1.0.1 h 100.100.100.100

Also kindly note that you couldn't have PAT on both sides. One side should have a PAT and initiation should be done from that side.

Network Pro · ‎07-28-2016

Thanks for this, i dont need the other end to initiate traffic. can you give me the full config please?

Dina Odeh · ‎07-28-2016

On Site A ASA:

******************

1- Configure a NAT statement, so that the subnet 192.168.1.0/24 will be patted to 10.1.0.1 when it communicate with 100.100.100.100

In 8.3 and later:

nat (inside,outside) source dynamic obj-192.168.1.0 obj-10.1.0.1 destination static obj-100.100.100.100 obj-100.100.100.100

in 8.2 and earlier:

1- create an ACL on ASA :

access-list vpn permit ip 192.168.1.0 255.25.255.0 host 100.100.100.100

2- Add a policy dynamic NAT:

nat (inside) 2 access-list vpn
global (outside) 2 10.1.0.1

2- Configure the Crypto MAP ACL:

access-list <name> extended permit ip host 10.1.0.1 host 100.100.100.100

On Site B ASA:

******************

Is there any NAT statements that should be configured there ?

1- Configure the Crypto MAP ACL:

access-list <name> extended permit ip host 100.100.100.100 host 10.1.0.1

Network Pro · ‎07-28-2016

i am running 8.3 onwards,

i was thinking of this - will this work?

access-list xyz permit ip 192.168.1.0 255.255.255.0 100.100.100.100 255.255.255.255

nat (inside) 1 access-list xyz

global (outside) 1 10.1.0.1

access-list vpn permit ip host 10.1.0.1 100.100.100.100 255.255.255.255

Dina Odeh · ‎07-28-2016

If you are running 8.3 and later, then you should do the following:

1- Configure a NAT statement, so that the subnet 192.168.1.0/24 will be patted to 10.1.0.1 when it communicate with 100.100.100.100

nat (inside,outside) source dynamic obj-192.168.1.0 obj-10.1.0.1 destination static obj-100.100.100.100 obj-100.100.100.100

2- Configure the Crypto MAP ACL:

access-list <name> extended permit ip host 10.1.0.1 host 100.100.100.100

Network Pro · ‎07-28-2016

dont we need a no-nat from 10.1.0.1 to 100.100.100.100 ?

Dina Odeh · ‎07-28-2016

If you are talking about site B ASA, then yes you need a NO NAT.

But if you are talking about site A ASA, then No. The NAT previously mentioned is the one we need to add on it.

Dina Odeh,

Please rate helpful posts and mark correct answers.

Network Pro · ‎08-02-2016

i dnt need site B initiating but i cant seem to get this to work. i need 192.168.1.0/24 to go out as 10.1.0.1 to 100.100.100.100/24

i have routes on the core pointing to this subnet 100.100.100.100 but still cant get it to work. think NAtting is the only issue

Cristian Nilsson · ‎08-03-2016

Hello, untested code but i hope this could work:

SITE-A:

object network LOCAL-NET-192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0

object network REMOTE-NET-100.100.100.0_24
 subnet 100.100.100.0 255.255.255.0

object network VPN-PAT-IP-10.1.0.1
 host 10.1.0.1

nat (INSIDE,OUTSIDE) source dynamic LOCAL-NET-192.168.1.0_24 VPN-PAT-IP-10.1.0.1 destination static REMOTE-NET-100.100.100.0_24 REMOTE-NET-100.100.100.0_24

access-list CRYPTO-ACL extended permit ip object VPN-PAT-IP-10.1.0.1 object REMOTE-NET-100.100.100.0_24

SITE-B:

object network LOCAL-NET-100.100.100.0_24
 subnet 100.100.100.0 255.255.255.0

object network REMOTE-NET-10.1.0.1_32
 host 10.1.0.1

object network REMOTE-NET-192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static LOCAL-NET-100.100.100.0_24 LOCAL-NET-100.100.100.0_24 destination static REMOTE-NET-192.168.1.0_24 REMOTE-NET-10.1.0.1_32

access-list CRYPTO-ACL extended permit ip object LOCAL-NET-100.100.100.0_24 object REMOTE-NET-10.1.0.1_32

//Cristian

Network Pro · ‎08-03-2016

works thanks

Network Pro · ‎08-09-2016

if i want to set a VPN-Filter value for the above (with PAT config) how does the ACL look like ? will it be from 10.1.0.1 to 192.168.1.0/24 on port 22 ?

Thanks

Cristian Nilsson · ‎08-10-2016

Hello,

Somewhat snatched and modified code from another site.

SITE-A:

access-list VPN-FILTER permit tcp object VPN-PAT-IP-10.1.0.1 REMOTE-NET-100.100.100.0_24 eq 22
group-policy SITE-A internal
group-policy SITE-A attributes
 vpn-filter value VPN-FILTER

Now VPN filter works in mysterious ways... (its bi-directional by nature).

This will allow TCP traffic from 10.1.0.1 <any port> to 100.100.100.0/24 <port 22>
It will also allow TCP traffic from 100.100.100.0/24 <port 22> to 10.1.0.1 <any port>

I am no expert on vpn filters but you should get the idea i hope.

//Cristian