Solved: But I leave this?

cdkading1 · ‎04-20-2016

I have a question that has been answered in some variations throughout the forum and I feel my Newbie status will be clear. Here is my setup problem.. I am using a Cisco ASA 5506 and I am connecting to a Vendor. I only need the local side setup they handle their side.

Internal IP Range
192.168.1.1 255.255.255.0

Public IP Addresses supplied by ISP

97.X.X.22

174.X.X.194

Required config by Vendor.

All Http Https traffic must originate 97.X.X.22

local peer 97.X.X.22

remote peer 144.X.X.25

Our local encryption domain must be a public IP: 174.X.X.194/32

Remote Encryption Domains:

207.X.X.0 255.255.255.0

144.X.X.90      255.255.255.255
144.X.X.91      255.255.255.255
144.X.X.22   255.255.255.255
144.X.X.25   255.255.255.255

currently i have outside set to 97.X.X.22

I now know I need to NAT all inside traffic destined for the remote encryption domains to 174.X.X.194/32 and then pass the interesting traffic to VPN.

I am using ASA Version 9.5(2) can someone help me so that I can avoid extra downtime it will be much appreciated.?

Marius Gunnerud · ‎04-21-2016

You would need to change the Crypto ACL to be the public IP you are using

access-list outside_cryptomap_1 extended permit ip host 174.X.X.194 object-group SP

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

David99 · ‎04-22-2016

Hey,

As Marius mentions, you'll need to use the public IPs in the crypto ACL. Also quite right not to use two crypto maps for the same thing. That said, it's not necessarily a problem, becuase crypto maps are checked in the order of their numbering, from lower to higher - once there is a match it will stop. So if you have 2 the same, it will match the first one then stop. That said, it has scope to cause confusion and if it is not needed then don't use it.

When I first started doing funky things with NAT, I would get a little confused about how the Crypto ACL should look.

However, I come to remember it in a very easy way.

The crypto ACL is used to determine what security associations will be built over a VPN tunnel.

In your case, the communications are going to be via public IPs on both sides - therefore the SA on the tunnel will be between these public IPs and so, you need to use the public IPs in the crypto ACL

So, referring back to the example from earlier and using the same object group names for the sake of being neat, it would be like this:

access-list outside_cryptomap_1 extended permit ip object-group LOCAL-PUBLIC object-group REMOTE

You don't need the Private IPs in there - remember NAT happens first. If you were using private IPs over the tunnel then you would use the private IPs and have a NAT exemption rule, which it seems you had earlier but is not required in this case. I am referring to this line you mentioned earlie that is not needed in this scenario - this is a NAT exemption and ensures that the private IPs remain private (this is also known as Identity NAT), whereas in your case you want it to change to public

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static SP SP no-proxy-arp route-lookup

View solution in original post

David99 · ‎04-21-2016

Hi There,

It's certainly fine to use public IP's in the encryption domains

Are you saying that you want to NAT all private IP's/Networks behind your firewall to appear as the single public IP when talking over the VPN to the remote IPs?

You could achieve this with something like this...

There should be no reason for downtime when setting up a site to site VPN

Hopefully I am not missing the point here - is it the NAT configuration that you are not sure about?

I am not too sure what you mean by this point..

"All Http Https traffic must originate 97.X.X.22"

but then you say...

"Our local encryption domain must be a public IP: 174.X.X.194/32"

So, how do you want the traffic to source?

Here is an example of how the NAT may look for this. Using object groups makes it easier and neater:

object-group network LOCAL-REAL
 network-object X.X.X.X 255.255.255.0
 network-object host Y.Y.Y.Y

object-group network LOCAL-PUBLIC
 network-object host 174.X.X.194

object-group network REMOTE
 network-object 207.X.X.0 255.255.255.0       
 network-object host144.X.X.90  
 network-object host144.X.X.91  
 network-object host144.X.X.22  
 network-object host144.X.X.25  

nat (any,outside) source static LOCAL-REAL LOCAL-PUBLIC destination static REMOTE REMOTE no-proxy-arp route-lookup

cdkading1 · ‎04-21-2016

Current Config is like below. So all local traffic when talking over the VPN (peer ip) 97.X.X.22 should have the source ip of LOCAL-PUBLIC 174.X.X.194 for traffic on the other end.

All regular network traffic web etc should originate from the outside 97.X.X.22.

It looks like you hit the nail on the head with your config. Does my VPN look right or do i need to specify the LOCAL-PUBLIC in the VPN acl so that this reads..

access-list outside_cryptomap extended permit ip LOCAL-PUBLIC object-group SP
access-list outside_cryptomap_1 extended permit ip LOCAL-PUBLIC object-group SP

It looks like I should add:

object-group network LOCAL-PUBLIC
 network-object host 174.X.X.194

and:

nat (any,outside) source static NETWORK_OBJ_192.168.1.0_24 LOCAL-PUBLIC destination static SP SP no-proxy-arp route-lookup

Remove this:

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static SP SP no-proxy-arp route-lookup

Is that right?

ASA Version 9.5(2)
!
interface GigabitEthernet1/1
description to WAN
speed 100
duplex full
nameif outside
security-level 0
ip address 97.X.X.22 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SP1
host 144.X.X.90
object network SP0
subnet 207.X.X.0 255.255.255.0
object network SP2
host 144.X.X.91
object network SP3
host 144.X.X.22
object network SP4
host 144.X.X.25
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network SP
network-object object SP0
network-object object SP1
network-object object SP2
network-object object SP3
network-object object SP4
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group SP
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group SP
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static SP SP no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 97.X.X.21 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 144.X.X.25
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 144.X.X.25
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_144.X.X.25 internal
group-policy GroupPolicy_144.X.X.25 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 144.X.X.25 type ipsec-l2l
tunnel-group 144.X.X.25 general-attributes
default-group-policy GroupPolicy_144.X.X.25
tunnel-group 144.X.X.25 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:a65783cb07913dc97b1fe0bd4101c189
: end

Marius Gunnerud · ‎04-21-2016

You would need to change the Crypto ACL to be the public IP you are using

access-list outside_cryptomap_1 extended permit ip host 174.X.X.194 object-group SP

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

cdkading1 · ‎04-21-2016

But I leave this?

access-list outside_cryptomap extended permit ip NETWORK_OBJ_192.168.1.0_24 object-group SP

Here is what i have now is this correct?

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object-group SP
access-list outside_cryptomap_1 extended permit ip object-group LOCAL-PUBLIC object-group SP

Marius Gunnerud · ‎04-21-2016

Just noticed you have two crypto maps going to the same destination...why? I would suggest removing one of them.

Are you using ikev1 or ikev2? you have both configured under both cryptomaps...

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

cdkading1 · ‎04-21-2016

Here are the requirements from the vendor

   Encryption Scheme   Tunnel Type:
    DH Group 2
ESP-AES256-SHA


   Diffie-Hellman Group   Base
   Encryption Algorithm
ESP AES256-SHA

   Hashing Algorithm
DH Group 2
ESP AES256-SHA

   Main or Aggressive Mode   Main Mode
   Lifetime (for renegotiation)   86400
Phase 2   Encapsulation (ESP or AH)   ESP
   Encryption Algorithm   AES-256
   Authentication Algorithm
   Perfect Forward Secrecy   No
   Lifetime (for renegotiation)   28800
   Lifesize in KB (for renegotiation)
   Key Exchange For Subnets?   Yes

Marius Gunnerud · ‎04-21-2016

They don't mention which version, so I assume it is IKEv1. Just add the public IP to the crypto ACL as the source at your end, and have the remote end add it to their crypto ACL as the destination. Also, do the NAT configuration mentioned earlier and you should be set.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

David99 · ‎04-22-2016

Hey,

As Marius mentions, you'll need to use the public IPs in the crypto ACL. Also quite right not to use two crypto maps for the same thing. That said, it's not necessarily a problem, becuase crypto maps are checked in the order of their numbering, from lower to higher - once there is a match it will stop. So if you have 2 the same, it will match the first one then stop. That said, it has scope to cause confusion and if it is not needed then don't use it.

When I first started doing funky things with NAT, I would get a little confused about how the Crypto ACL should look.

However, I come to remember it in a very easy way.

The crypto ACL is used to determine what security associations will be built over a VPN tunnel.

In your case, the communications are going to be via public IPs on both sides - therefore the SA on the tunnel will be between these public IPs and so, you need to use the public IPs in the crypto ACL

So, referring back to the example from earlier and using the same object group names for the sake of being neat, it would be like this:

access-list outside_cryptomap_1 extended permit ip object-group LOCAL-PUBLIC object-group REMOTE

You don't need the Private IPs in there - remember NAT happens first. If you were using private IPs over the tunnel then you would use the private IPs and have a NAT exemption rule, which it seems you had earlier but is not required in this case. I am referring to this line you mentioned earlie that is not needed in this scenario - this is a NAT exemption and ensures that the private IPs remain private (this is also known as Identity NAT), whereas in your case you want it to change to public

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static SP SP no-proxy-arp route-lookup

VPN tunnel using public IP address as the encryption domain LAN to LAN