Ever need to configure a site to site VPN on an ASA with the new code on it (8.3 and later)? Also, did you need to NAT that interesting traffic across the VPN? I have, so much that I needed to create me a template to refer to and modify as needed. Here is what I have, maybe this will help you out as well.
Phase I:
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
Phase II:
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
OBJECTS:
Remote side:
object network obj-5.5.5.128
subnet 5.5.5.128 255.255.255.128
Internal side (Traffic will be NAT'ed to this address range):
object network obj-192.168.1.88
subnet 192.168.1.88 255.255.255.248
Internal servers:
object network obj-192.168.1.24
host 192.168.1.24
object network obj-192.168.1.3
host 192.168.1.3
object network obj-192.168.1.5
host 192.168.1.5
object network obj-192.168.1.6
host 192.168.1.6
object network obj-192.168.1.42
host 192.168.1.42
object network obj-192.168.1.155
host 192.168.1.155
object network obj-192.168.1.40
host 192.168.1.40
Object-group network Internal-SvrGroup
Network-object object obj-192.168.1.24
Network-object object obj-192.168.1.3
Network-object object obj-192.168.1.5
Network-object object obj-192.168.1.6
Network-object object obj-192.168.1.42
Network-object object obj-192.168.1.155
Network-object object obj-192.168.1.40
Object-group network Remote-SvrGroup
Network-object object obj-5.5.5.128
INTERESTING TRAFFIC ACL
access-list Remote-acl permit ip object obj-192.168.1.88 object obj-5.5.5.128
NAT'ING THE VPN TRAFFIC
nat (inside,outside) source static Internal-SvrGroup obj-192.168.1.88 destination static Remote-SvrGroup Remote-SvrGroup
PHASE I TUNNEL CONFIG
tunnel-group 34.34.34.34 type ipsec-l2l
tunnel-group 34.34.34.34 ipsec-attributes
ikev1 pre-shared-key vpnkey
PHASE II TUNNEL CONFIG
crypto map Tulsa 40 match address Remote-acl
crypto map Tulsa 40 set peer 34.34.34.34
crypto map Tulsa 40 set ikev1 transform-set ESP-AES-256-SHA
Good template, thanks for sharing it Shane.
ReplyDeleteNo worries. Thanks Collin.
DeleteDefinitely props are deserved with this post.
ReplyDeleteThanks Shon.
Deletewhat ip the address to use for vpn-filte? thanks
ReplyDeleteIm not sure I understand the question. Email me at shane.killen@gmail.com and explain in more detail what you would like to know.
DeleteI need assistance understanding the how the vpn-filter command is applied to tunneled traffic. what local network ip in the dest_ip position of the ACL should be configured real ip or nat?
DeleteThanks for the sharing. It helped get my connection complete using NAT through the tunnel on our new 5505 that is replacing a 501 Pix.
ReplyDeleteHowever, on the Pix 501 I can ping systems on the other side, the ping doesn't get a response when connected with the 5505 is there a setting missing?
I have other tunnels setup that don't require the NATing (so the are simpler) on the 5505 and the ping works through them.
Thanks again!
I think you can allow ICMP in an ACL or you can do an 'inspect icmp' in the global inspection.
ReplyDeleteThanks for the fast response!
DeleteIt appears that inspect icmp is a global policy setting (I'm not a very competent cisco user, most of my experience is back in the v6 days).
I have tunnels setup to other clients that don't require NATing through the tunnel, and the ping works through these tunnels.
The tunnel it doesn't work on, has a single IP address for the NATing, which is also a live IP on the net (ie routable, the client requires it). I'm thinking that for some reason the icmp response is not getting passed back through this live IP to the destination IP (which was the source when initiating the ping). Also doing the Ping does activate the tunnel (brings it up).
Maybe I can email you with the setup info, it may be more explanitory, would that be ok? (I see your email on previous posts.)Q