VPN with policy nat(source addresses changed)
- 10.85.69.0/24 - 3rd company LAN
- 10.54.229.148/31 - source addresses coming to 3RD vpn tunnel are change to this network
- All traffic going through 3RD vpn tunnel should be visible as a 10.54.229.148/31
- 10.41.41.0/24 - destination addresses coming to COMPANY vpn tunnel
- 10.39.20.0/24 - our LAN
- LAN has to have access to Internet.
Access-list for 3RD vpn tunnel(for nat policy)
(config)#access-list vpn_policy_3rd extended permit ip 10.39.20.0 255.255.255.0 10.86.25.0 255.255.255.0
Access-list for COMPANY vpn tunnel.
(config)#access-list vpn_company extended permit ip 10.39.20.0 255.255.255.0 10.41.41.0 255.255.255.0
Access-list for 3RD vpn tunnel.
(config)#access-list 3RD permit ip 10.54.229.148 255.255.255.254 any
Traffic which should not be natted, in that case for COMPANY vpn traffic.
The best practise is to create separate access-list for traffic which should not be natted.
(config)#nat (inside) 0 access-list vpn_company
Policy nat for 3RD vpn tunnel. All traffic will be shown as are coming from 10.54.229.148/31.
Mask /31 is not a mistake. Asa firewall allows to use 31 bits mask.
(config)#nat (inside) 2 access-list vpn_policy_3rd
Nat rule for Internet access.
(config)#nat (inside) 1 10.39.20.0 255.255.255.0
Natting traffic defined in access-list vpn_policy_3rd onto 10.54.229.148/31.
(config)#global (outside) 2 10.54.229.148 netmask 255.255.255.254
Access to Internet.
(config)#global (outside) 1 interface
(config)#route outside 0.0.0.0 0.0.0.0 188.8.131.52
Default gw in this example is sufficient for both vpn tunnels and Internet.
- 4.Vpn configuration
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpn 1 match address vpn_company
crypto map vpn 1 set peer 184.108.40.206
crypto map vpn 1 set transform-set vpnset
crypto map vpn 1 set security-association lifetime seconds 3600
crypto map vpn 1 set reverse-route
crypto map vpn 10 match address 3RD
crypto map vpn 10 set peer 220.127.116.11
crypto map vpn 10 set transform-set vpnset
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
tunnel-group 18.104.22.168 type ipsec-l2l
tunnel-group 22.214.171.124 ipsec-attributes
tunnel-group 126.96.36.199 type ipsec-l2l
tunnel-group 188.8.131.52 ipsec-attributes