[c-nsp] ASA Site to Site VPN

Peter Krupl peter.krupl at ventelo.dk
Fri Jul 13 08:20:59 EDT 2007


Hi Dave,

Yes this is possible.
And it is not that difficult either.

Always remember that the crypto map gets applied POST NAT at the outside interface. So you just have to do your NAT as usual.

You could do it like this for site 1, this is just to point out
The main points....:

------------SNIP-------------
access-list nat_vpn permit ip any  151.193.141.0 255.255.255.0
access-list no_nat_default deny ip any 151.193.141.0 255.255.255.0
access-list no_nat_default permit ip any any

nat (inside) 0 access-list no_nat_default
nat (inside) 1 access-list nat_vpn
global (outside) 1 192.168.1.2

access-list vpn_ipsec permit ip host 192.168.1.2 151.193.141.0 255.255.255.0

tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group  172.16.1.1 ipsec-attributes
 pre-shared-key XXXXXXXXXXXXX

crypto map ipsec 10 match address vpn_ipsec
crypto map ipsec 10 set peer 172.16.1.1
crypto map ipsec 10 set transform-set ESP-3DES-MD5


------------SNIP-------------

More reading on NAT for ASA:
http://cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042417

Med venlig hilsen/Kind regards
Peter Åris Krüpl
Netværksspecialist


-----Oprindelig meddelelse-----
Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] På vegne af Dave Lim
Sendt: 12. juli 2007 11:28
Til: cisco-nsp at puck.nether.net
Emne: [c-nsp] ASA Site to Site VPN

I have a site to site VPN requirement. My client was to NAT the private IP
add to an ip on the outside interface before it traverse via the ASA tunnel.

Site 1
ASA outside: 192.168.1.1/24
ASA inside: 10.171.1.1/24

Site 2
ASA outside: 172.16.1.1
ASA inside: 151.193.141.0/24

I have establised a site to site vpn tunnel for them and all packets are
able to traverse via the VPN tunnel. But they have a wierd requirement, they
want the ASA to NAT the inside network to the IP add of 192.168.1.2 before
it is being encapsulated via the IPsec tunnel.

This is so in site 2, the packets will be seen as a source ip add of
192.168.1.2 and not 10.171.1.1. They want to hide their private network ip
add range from site 2.

Is this technically possible?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list