IPsec VPN Tunnel with Network Address Translation on ASA firewall

Posted: August 9, 2015 in CISCO

In this example IPSEK VPN site to site tunnel (using Pre-Shared key) is configured between Routers R1 and R2

That traffic is NAT-ed on ASA and,on it’s way from the inside to the outside,it appears as if it originated from the outside


In my previous posts i was writting about IPSEC policies so i won’t go into further explanations


interface FastEthernet0/0
ip address
ip nat inside
interface FastEthernet0/1
ip address
ip nat outside
ip route

NAT configuration on R1:

!We have pool of ip addresses used for NAT translation
R1(config)#ip nat pool nat_pool netmask
!We need to exclude "interested traffic" from NAT 
R1(config)#access-list 130 deny  ip
!And to allow client from inside net access to the outide 
R1(config)#access-list 130 permit ip any 
!Translate IP addresses of inside hosts to the addresses defined in nat_pool
R1(config)#ip nat inside source list 130 pool nat_pool

 IPSec configuration on R1

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share !authentication
R1(config-isakmp)#encryption aes 256       !encryption
R1(config-isakmp)#hash sha                 !hash algorithm
R1(config-isakmp)#group 5                  !DH group
R1(config-isakmp)#lifetime 3600            !lifetime
R1(config)#crypto isakmp key mykey address
R1(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!Encrypted traffic
R1(config)#access-list 101 permit ip
R1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 101                  !ACL 101
R1(config-crypto-map)#set peer                !R2's interface
R1(config-crypto-map)#set transform-set 10               !set created earlier
R1#config t
R1(config)#int f0/1
R1(config-if)#crypto map mymap

IPSec configuration on R2

R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share !authentication
R2(config-isakmp)#encryption aes 256       !encryption
R2(config-isakmp)#hash sha                 !hash algorithm
R2(config-isakmp)#group 5                  !DH group
R2(config-isakmp)#lifetime 3600            !lifetime
R2(config)#crypto isakmp key mykey address
R2(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!Encrypted traffic
R2(config)#access-list 101 permit ip
R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 101                  !ACL 101
R2(config-crypto-map)#set peer                !R1's interface
R2(config-crypto-map)#set transform-set 10               !set created earlier
R2#config t
R2(config)#int f0/0
R2(config-if)#crypto map mymap


Configuring ASA:

!Permit encapsulated traffic through firewall
ciscoasa(config)# access-list 101 extended permit esp any host
ciscoasa(config)#access-group 101 in interface outside
!create object for addrees to which inside traffic will be translated (
ciscoasa(config)# object network ASA
ciscoasa(config-network-object)# host
ciscoasa(config-network-object)# host
ciscoasa(config-network-object)# object network inside_net
ciscoasa(config-network-object)# subnet
ciscoasa(config-network-object)# nat (inside,outside) static ASA

Ping from to network


Traffic captured between ASA and R1 is encrypted (ESP)


Encapsulated traffic is translated from inside address ( to“imagined” public IP address

ciscoasa(config-network-object)# sh xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
NAT from inside: to outside:
flags s idle 0:07:51 timeout 0:00:00


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s