Asa Vpn Site-tosite And One End Nat
More and more, the Internet is being used as a connection to business partners. Typically this requires building an IPSec Tunnel between two VPN capable endpoints. For me the device of choice is the Cisco ASA. Since we are connecting to a business partner, we likely have no choice of device on the other end. Furthermore, since we are connecting to an already established network there could be issues with IP address overlap. In this article, we address the configuration of a VPN with IP address overlap.
Note to reader: All ASA content can be accessed by clicking (or choosing ASA from the menu at the top of the page).This article addresses both 8.2 and earlier configurations as well as 8.3 and 8.4 configurations. If you have a desire to get a deeper understanding of the changes in the 8.3/8.4 versions, I encourage you to compare the configuration to that of the more familiar 8.2. For this article, we will be solving the problem of building a VPN between our enterprise network and an outside business partner that has an overlapping 192.168.1.x/24 address space. The secure tunnel will be established between the two firewalls in the image below.From the perspective of the business partner, our network will look like it is 192.168.2.x/24. Therefore the ouside party doesn’t even need to know that we are using 192.168.1.x/24. To access the partner’s 192.168.1.x/24 network, we will send traffic to 192.168.3.x, where x is the host we desire to reach on their 192.168.1.x/24 network. Since NAT has very different configuration syntax starting in 8.3, this article is broken into two sections.
Paul, the recent articles you have posted on ASA configuration tips have been a tremendous help to me. We only install ASA firewalls for our clients, so a lot of these articles have been very helpful for future scenarios.This article brings about another question for me. The address conflict I run into the most is with a Remote VPN, where the user is at home, but their home Ip addressing is the same subnet as their office subnet, so usually 192.168.1.0 /24 on both ends. The remote VPN tunnels I typically set up direct the users local traffic to the LAN they are at (typically home or a hotel), and remote traffic through the VPN so that web browsing ect. Is not directed through the tunnel.Is this able to be overcome in a similar manner?
That is a very good question. I actually may write an article about that particular issue in the future. In short, yes you can solve that problem in a similar way. The challenge is that the corporate network is then represented with a different IP address range. Therefore, everything either needs to know the translated addresses or use DNS (with DNS rewrite working properly). Do to these challenges, I try to avoid translating the corporate network for remote access clients.The way I try to solve this problem is inserting host routes for important IP addresses in the clients routing table. This can be done by exploiting split tunneling.
Split tunneling is meant to define the protected networks and gives the administrator the ability to allow some traffic to go directly to the Internet. The way it works is that a split tunnel acl is built that includes hosts, networks, or even the default network (0.0.0.0 0.0.0.0) to be protected. If you don’t want users going directly to the Internet, include an instance of 0.0.0.0 0.0.0.0 in the standard acl. Then include any subnets and hosts. Including hosts using the syntax of “host x.x.x.x” of important ip addresses that are likely to overlap will cause the VPN client to insert host routes into the PC’s routing table.
You can see this with “route print” from a command prompt in Windows. I worked on something similar to that a while back. In 8.2 and earlier, I think you need a “nat (outside) 0 access-list ACL”. The ACL should specify traffic in both directions (RA to L2L and L2L to RA). The L2L VPN would also need to match the remote access to remote L2L range in its ACL. You would also need to have the command “same-security-interface permit intra-interface” command. This is all from memory, so there may be a bit more to it than that.
In any case, this is one of the more difficult configurations. Thanks for the great article. I have one question though. Scenario is this: customer have many L2L tunnels to business partners and of course there is overlapping networks between two partner’s. We made policy nat for the newest partner but now policy nat conflicts with static nat.
Cisco Asa Site To Site Vpn Configuration Step By Step
There is bunch of servers mapped with static nat to public ip’s. Over the tunnel(to business partner) they can connect everything else but not to those servers. Is there anyway around this problem? (btw same problem is here with longer explanation: ) I know that port forward will do the trick but that’s not the cure for our customer. There’s a few ways that you can accomplish that. The decision to static nat or policy nat depends on if the translations need some qualifying value.
For example, if HostA goes to a VPN, use IP address x.x.x.x. However, if same HostA goes to the internet, use IP address z.z.z.z.So for the context of static vs policy nat, I would think in those terms. In regards to only allowing some hosts, you can configure NAT based on this article. Then use ACLs to control the traffic.
This could be done in the following locations–1) Ingress where the source hosts exists2) applied to the tunnel group with vpn-filter3) Ingress on the public interface on the remote end (with “no sysopt permit-vpn”)4) Egress on the interface where the destination hosts liveYou can also tightly restrict the NAT. This, in conjunction with the crypto acl will have an impact on what is sent into the tunnel. It is worth noting that this would behave differently for 8.2 and post 8.4 code. Hi Pauli would like to say thank you for this post. I found that adding ACLs to the existing cryptomaps allowed multiple VPNs to be established when access to a specific subnet was requested. As example, My VPN for the phone subnet worked but only showed 1 active VPN for the ACL for the phone. When I added access to the “server” vlan to both sides, the VPN count raised by one when a resource (dns query) requested information.
Cisco Asa Site To Site Vpn Troubleshooting
It stayed active until the timeout hit, then went inactive until the resource was requested again. This second VPN used the same information and settings as the first VPN. I hope I stated this correctly. It worked awesomely. Thank you for the great article! I did have a question or something I’m still not getting by reading the very helpful comments. I have a asa running 8.2 software.
I need to allow a single host (host a) to be translated through the site to site VPN on the remote end. Host a already has a static translation used for other operations. If I tried policy nat (the ugly solution) would that be canceled out by the order of operations (nat exemption, static nat, static pat then policy nat) anyway? What is an elegant way to do this without effecting existing operations?Thank you.
By defining a VPN tunnel-group the ASA allows the remote peer in the outside interface and get to where its going as defined in your ACL. IKE negotiation happens over UDP port 4500 and that is allowed without having to edit your outside ACL. You can change this with no sysopt connection permit-vpn. If you do that you will need entries in your fromoutside ACL. Protocol 50 is esp.Show all the tunnel-groupssh run all tunnel-groupL2L (S2S) IP addressRA VPN groupThe tunnel group sets the peer and calls the group policyShow the group policysh run all group-policyNormally if you don't change anything the default group policy will be usedMake sure ikev1 is enabled in the default or what ever group policy you are usinggroup-policy DfltGrpPolicy attributes. Whats the problem? Host A can't reach Host B.
Is it a problem for all hosts or just one host?If a VPN won't come up its usually a settings problem. PSK mismatch, missing NAT, ACL mismatch etc. If a VPN has been up and goes down its usually because something has changed. Write ALL settings down for both peers side by side and compare.