ASA VPN NAT
I spent the last week fighting our ASA. We have an old VPN 3000 Concentrator and I am slowly moving all of the tunnels to our ASA. But I needed to to do some NAT over a few VPN tunnels and eventually had to call for help. Since I am not the only person trying to do this, and I had little luck finding instructions, I am writing this post. Ironically, once you know how to do it, it’s simple and makes sense. Probably why I could never find someone who had taken the time to document the process.
Here are the basic steps:
1. Enable IPSec on the Outside interface.
2. Run the IPSec VPN wizard.
3. Create the static policy NAT.
4. Create a static route if needed.
5. Add a firewall rule if needed.
Here is a diagram of what we are trying to do:
Notice that we are NAT’ing from 192.168.181.2 to 192.168.81.2, there is only one digit different, but it makes a big difference.
1. Enable IPSec
First we enable IPSec on the Outside interface:
Code to enable IPSec:
crypto isakmp enable Outside crypto isakmp policy 10 authen pre-share crypto isakmp policy 10 encrypt des crypto isakmp policy 10 hash sha crypto isakmp policy 10 group 2 crypto isakmp policy 10 lifetime 86400 crypto isakmp policy 5 authen pre-share crypto isakmp policy 5 encrypt 3des crypto isakmp policy 5 hash sha crypto isakmp policy 5 group 2 crypto isakmp policy 5 lifetime 86400
2. IPSec VPN Wizard
Second we fire up the IPSec VPN Wizard:
Notice the pointer in this screenshot. If you are going to NAT over the VPN tunnel, make sure this is not checked. You can delete it later, all it does is make a NAT for you, we will make our own policy NAT instead.
The resulting code from the VPN Wizard:
object-group network DM_INLINE_NETWORK_1 network-object host 192.168.81.2 network-object host 192.168.81.3 access-list Outside_1_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_1 host 172.22.108.201 tunnel-group 184.108.40.206 type ipsec-l2l tunnel-group 220.127.116.11 ipsec-attributes pre-shared-key TESTING isakmp keepalive threshold 10 retry 2 crypto isakmp policy 30 authen pre-share crypto isakmp policy 30 encrypt aes-256 crypto isakmp policy 30 hash sha crypto isakmp policy 30 group 5 crypto isakmp policy 30 lifetime 86400 crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto map Outside_map 1 match address Outside_1_cryptomap crypto map Outside_map 1 set peer 18.104.22.168 crypto map Outside_map 1 set transform-set ESP-AES-256-SHA crypto map Outside_map interface Outside
3. Static Policy NAT
Although it is not on the diagram, I am adding two NAT rules to the ASA:
192.168.181.2 –> 192.168.81.2 if going to 172.22.108.201
192.168.181.3 –> 192.168.81.3 if going to 172.22.108.201
The code to add a policy NAT.
access-list Inside_nat_static extended permit ip host 192.168.181.2 host 172.22.108.201 static (Inside,Outside) 192.168.81.2 access-list Inside_nat_static tcp 0 0 udp 0
The code to add another policy NAT.
access-list Inside_nat_static_1 line 1 extended permit ip host 192.168.181.3 host 172.22.108.201 static (Inside,Outside) 192.168.81.3 access-list Inside_nat_static_1 tcp 0 0 udp 0 [/code} <strong>4. Add a Static Route</strong> This step depends upon your routing table. <img class="alignnone size-full wp-image-375" src="https://chainringcircus.files.wordpress.com/2010/09/6-add-static-route.png" alt="6-add-static-route" width="567" height="428" /> The code to add a static route: route Outside 172.22.108.201 255.255.255.255 22.214.171.124 1
5. Add a firewall rule.
Once again, this step depends upon the rules in our firewall. This rule is very permissive, we are testing.
The code to add a firewall rule:
object-group network DM_INLINE_NETWORK_2 network-object host 172.22.81.2 network-object host 172.22.81.3 access-list Inside_access_in line 5 extended permit ip object-group DM_INLINE_NETWORK_2 host 172.22.108.201 log disable
And finally, the test ping from 192.168.181.2 to 172.22.108.201: