Friday, December 9, 2011

Cisco ASA: NAT'ing site to site VPN traffic - NOT NOT NAT

So I have come across a few times where I needed to NAT VPN traffic to a certain IP address.  They remote end (usually a place that has a lot of VPN connections) wouldn't allow private addressing to be used.  So, I needed to have an IP address or range to use that was public.  With that said, I decided I wanted my subnet to be NAT'ed to the 174.X.X.167 address.  They will accept this on their remote end, as my client will be sending traffic only to them.  They will not be sending traffic to us.  With that said, we only need one IP address, since they are not trying to get to multiple servers here at my customer.
Lets look at the config:
Phase I:
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400

Phase II:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Tunnel creation:
tunnel-group 62.X.X.233 type ipsec-l2l
tunnel-group 62.X.X.233 ipsec-attributes
 pre-shared-key passkey

Now the fun stuff.  Remember, we ARE NAT'ing our traffic.  We want to NAT our private network to 174.X.X.167.  So, we need to define what internal traffic gets NAT'ed to the destination of 206.X.X.210. 
access-list policy-nat extended permit ip host 206.X.X.210    

Now, lets do the encryption ACL.  If you are coming from the network you get NAT'ed to be 174.X.X.167 and are destined to 206.X.X.210, then the following encryption ACL will do for traffic across the VPN.
Encryption ACL:
access-list customer-access extended permit ip host 174.X.X.167 host 206.X.X.210

Now, we have to tell it to NAT.  We do this with a static NAT translation.  We say if the ACL policy-nat is matched, then NAT to 174.X.X.167.
static (inside,outside) 174.X.X.167  access-list policy-nat   

Then go add the crypto map.
crypto map outside_map 20 match address customer-access
crypto map outside_map 20 set peer 62.X.X.233
crypto map outside_map 20 set transform-set ESP-AES-256-SHA

Apply to the outside interface:
crypto map outside_map interface outside
crypto isakmp enable outside

Done.  Now you are NAT'ing your vpn traffic across the site to site VPN.