IPsec VPN Tunnel with Network Address Translation on ASA firewall

Posted: August 9, 2015 in CISCO

In this example IPSEK VPN site to site tunnel (using Pre-Shared key) is configured between Routers R1 and R2

That traffic is NAT-ed on ASA and,on it’s way from the inside to the outside,it appears as if it originated from the outside

Untitled

In my previous posts i was writting about IPSEC policies so i won’t go into further explanations

R1:

interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
ip nat inside
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
ip nat outside
ip route 0.0.0.0 0.0.0.0 10.10.10.1

NAT configuration on R1:

!We have pool of ip addresses used for NAT translation
R1(config)#ip nat pool nat_pool 10.10.10.40 10.10.10.50 netmask 255.255.255.0
!We need to exclude "interested traffic" from NAT 
R1(config)#access-list 130 deny  ip 20.20.20.0 0.0.0.255 172.16.3.0 0.0.0.255
!And to allow client from inside net access to the outide 
R1(config)#access-list 130 permit ip 20.20.20.0 0.0.0.255 any 
!Translate IP addresses of inside hosts to the addresses defined in nat_pool
R1(config)#ip nat inside source list 130 pool nat_pool

 IPSec configuration on R1

R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share !authentication
R1(config-isakmp)#encryption aes 256       !encryption
R1(config-isakmp)#hash sha                 !hash algorithm
R1(config-isakmp)#group 5                  !DH group
R1(config-isakmp)#lifetime 3600            !lifetime
R1(config)#crypto isakmp key mykey address 30.30.30.2
R1(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!Encrypted traffic
R1(config)#access-list 101 permit ip 20.20.20.0 0.0.0.255 172.16.3.0 0.0.0.255
R1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 101                  !ACL 101
R1(config-crypto-map)#set peer 30.30.30.2                !R2's interface
R1(config-crypto-map)#set transform-set 10               !set created earlier
R1#config t
R1(config)#int f0/1
R1(config-if)#crypto map mymap

IPSec configuration on R2

R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share !authentication
R2(config-isakmp)#encryption aes 256       !encryption
R2(config-isakmp)#hash sha                 !hash algorithm
R2(config-isakmp)#group 5                  !DH group
R2(config-isakmp)#lifetime 3600            !lifetime
R2(config)#crypto isakmp key mykey address 10.10.10.2
R2(config)#crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!Encrypted traffic
R2(config)#access-list 101 permit ip 172.16.3.0 0.0.0.255 20.20.20.0 0.0.0.255
R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#match address 101                  !ACL 101
R2(config-crypto-map)#set peer 10.10.10.2                !R1's interface
R2(config-crypto-map)#set transform-set 10               !set created earlier
R2#config t
R2(config)#int f0/0
R2(config-if)#crypto map mymap

 

Configuring ASA:

!Permit encapsulated traffic through firewall
ciscoasa(config)# access-list 101 extended permit esp any host 30.30.30.2
ciscoasa(config)#access-group 101 in interface outside
!create object for addrees to which inside traffic will be translated (30.30.30.120)
ciscoasa(config)# object network ASA
ciscoasa(config-network-object)# host
ciscoasa(config-network-object)# host 30.30.30.120
ciscoasa(config-network-object)# object network inside_net
ciscoasa(config-network-object)# subnet 172.16.3.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) static ASA

Ping from 172.16.3.0 to 20.20.20.0 network

Untitled

Traffic captured between ASA and R1 is encrypted (ESP)

Untitled

Encapsulated traffic is translated from inside address (172.16.3.10) to 30.30.30.120-“imagined” public IP address

ciscoasa(config-network-object)# sh xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
NAT from inside:172.16.3.0/24 to outside:30.30.30.120
flags s idle 0:07:51 timeout 0:00:00

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s