ASA VPN NAT

2010-09-17 09:06:20
ASA VPN NAT
I spent the last week fighting our ASA. We have an old VPN 3000 Concentrator and I am slowly moving all of the tunnels to our ASA. But I needed to to do some NAT over a few VPN tunnels and eventually had to call for help. Since I am not the only person trying to do this, and I had little luck finding instructions, I am writing this post. Ironically, once you know how to do it, it’s simple and makes sense. Probably why I could never find someone who had taken the time to document the process.

Here are the basic steps:
1. Enable IPSec on the Outside interface.
2. Run the IPSec VPN wizard.
3. Create the static policy NAT.
4. Create a static route if needed.
5. Add a firewall rule if needed.

Here is a diagram of what we are trying to do:
vpn-natNotice that we are NAT’ing from 192.168.181.2 to 192.168.81.2, there is only one digit different, but it makes a big difference.

1. Enable IPSec
First we enable IPSec on the Outside interface:
1-enable-ipsec-on-outside-interface

Code to enable IPSec:

crypto isakmp enable Outside
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto isakmp policy 5 authen pre-share
crypto isakmp policy 5 encrypt 3des
crypto isakmp policy 5 hash sha
crypto isakmp policy 5 group 2
crypto isakmp policy 5 lifetime 86400

2. IPSec VPN Wizard
Second we fire up the IPSec VPN Wizard:
vpn-wizard-step-1

vpn-wizard-step-2

vpn-wizard-step-3

vpn-wizard-step-4

Notice the pointer in this screenshot. If you are going to NAT over the VPN tunnel, make sure this is not checked. You can delete it later, all it does is make a NAT for you, we will make our own policy NAT instead.
vpn-wizard-step-5

vpn-wizard-step-6

The resulting code from the VPN Wizard:

object-group network DM_INLINE_NETWORK_1
network-object host 192.168.81.2
network-object host 192.168.81.3
access-list Outside_1_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_1 host 172.22.108.201
tunnel-group 198.136.146.10 type ipsec-l2l
tunnel-group 198.136.146.10 ipsec-attributes
pre-shared-key TESTING
isakmp keepalive threshold 10 retry 2
crypto isakmp policy 30 authen pre-share
crypto isakmp policy 30 encrypt aes-256
crypto isakmp policy 30 hash sha
crypto isakmp policy 30 group 5
crypto isakmp policy 30 lifetime 86400
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 198.136.146.10
crypto map Outside_map 1 set transform-set ESP-AES-256-SHA
crypto map Outside_map interface Outside

3. Static Policy NAT
Although it is not on the diagram, I am adding two NAT rules to the ASA:
192.168.181.2 –> 192.168.81.2 if going to 172.22.108.201
192.168.181.3 –> 192.168.81.3 if going to 172.22.108.201

4-add-static-policy-nat-rule-2

The code to add a policy NAT.

access-list Inside_nat_static extended permit ip host 192.168.181.2 host 172.22.108.201
static (Inside,Outside) 192.168.81.2 access-list Inside_nat_static tcp 0 0 udp 0

5-add-static-policy-nat-rule-3

The code to add another policy NAT.

access-list Inside_nat_static_1 line 1 extended permit ip host 192.168.181.3 host 172.22.108.201
static (Inside,Outside) 192.168.81.3 access-list Inside_nat_static_1 tcp 0 0 udp 0
[/code}

<strong>4. Add a Static Route</strong>
This step depends upon your routing table.

<img class="alignnone size-full wp-image-375" src="https://chainringcircus.files.wordpress.com/2010/09/6-add-static-route.png" alt="6-add-static-route" width="567" height="428" />

The code to add a static route:

route Outside 172.22.108.201 255.255.255.255 198.136.146.10 1

5. Add a firewall rule.
Once again, this step depends upon the rules in our firewall. This rule is very permissive, we are testing.

7-add-firewall-rule

The code to add a firewall rule:

object-group network DM_INLINE_NETWORK_2
network-object host 172.22.81.2
network-object host 172.22.81.3
access-list Inside_access_in line 5 extended permit ip object-group DM_INLINE_NETWORK_2 host 172.22.108.201 log disable

And finally, the test ping from 192.168.181.2 to 172.22.108.201:
8-ping-172-22-108-201

This entry was posted in Firewalls, Routing. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s