VPN with policy nat(source addresses changed)

 

Assumptions:

  • 10.85.69.0/24 - 3rd company LAN
  • 10.54.229.148/31 - source addresses coming to 3RD vpn tunnel are change to this network
  • All traffic going through 3RD vpn tunnel should be visible as a 10.54.229.148/31
  • 10.41.41.0/24 - destination addresses coming to COMPANY vpn tunnel
  • 10.39.20.0/24 - our LAN
  • LAN has to have access to Internet.

vpn_with_policy.jpg

 

  • 1.Access-lists

Access-list for 3RD vpn tunnel(for nat policy)

(config)#access-list vpn_policy_3rd extended permit ip 10.39.20.0 255.255.255.0 10.86.25.0 255.255.255.0

Access-list for COMPANY vpn tunnel.

(config)#access-list vpn_company extended permit ip 10.39.20.0 255.255.255.0 10.41.41.0 255.255.255.0

Access-list for 3RD vpn tunnel.

(config)#access-list 3RD permit ip 10.54.229.148 255.255.255.254 any

 

  • 2.Nat

Traffic which should not be natted, in that case for COMPANY vpn traffic.

The best practise is to create separate access-list for traffic which should not be natted.

(config)#nat (inside) 0 access-list vpn_company

Policy nat for 3RD vpn tunnel. All traffic will be shown as are coming from 10.54.229.148/31.

Mask /31 is not a mistake. Asa firewall allows to use 31 bits mask.

(config)#nat (inside) 2 access-list vpn_policy_3rd

Nat rule for Internet access.

(config)#nat (inside) 1 10.39.20.0 255.255.255.0

Natting traffic defined in access-list vpn_policy_3rd onto 10.54.229.148/31.

(config)#global (outside) 2 10.54.229.148 netmask 255.255.255.254

Access to Internet.

(config)#global (outside) 1 interface

  • 3.Routing

(config)#route outside 0.0.0.0 0.0.0.0 1.1.1.2

Default gw in this example is sufficient for both vpn tunnels and Internet.

  • 4.Vpn configuration

crypto ipsec transform-set vpnset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map vpn 1 match address vpn_company

crypto map vpn 1 set peer 2.2.2.2

crypto map vpn 1 set transform-set vpnset

crypto map vpn 1 set security-association lifetime seconds 3600

crypto map vpn 1 set reverse-route

crypto map vpn 10 match address 3RD

crypto map vpn 10 set peer 3.3.3.3

crypto map vpn 10 set transform-set vpnset

crypto map vpn interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key *****

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 ipsec-attributes

pre-shared-key *****


dzbanek 2012-01-12

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.