I’ve written a post on how to setup a Cisco ASA site to site VPN tunnel here on pre 8.3 firmware. Now I’m going to write about how to make a VPN tunnel on post 8.3 firmware with emphasis on performing NAT within a site to site VPN tunnel.
Often times when establishing a VPN relationship with a 3rd party, we may bump into cases of overlapping internal network subnets. The best practice is for both parties to NAT the traffic to a public IP address for the traffic that is destined for the VPN tunnel. Of course, you should be the owner of the public IP.
Like implementing NAT for internet traffic, you must determine if you are the initiating party or the receiving party, as this determines which type of NAT you are going to use – NAT overload or static NAT.
1. First off lets setup the tunnel. First define the phase 1 IKE parameters used in the ISAKMP policy.
crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
2. Then define the tunnel group, where x.x.x.x is peer ip address. The pre-shared key is also defined here.
tunnel-group x.x.x.x ipsec-attributes pre-shared-key mysecretkey
Enable isakmp on the your outside interface if you haven’t already
crypto ikev1 enable Outside
3. Now define the phase 2 IPSEC transform. I’ve giving the name of the transform set ESP-AES-256-SHA as it uses AES-256 and SHA-1.
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
4. Define the crypto acl that will be used for the VPN traffic. Pay close attention to the SOURCE and DESTINATION used here. You want to use the POST NAT IP address for the hosts used. This would be the SOURCE and DESTINATION public ip addresses in the tunnel
access-list CRYPTOACL extended permit ip host NATTED_SOURCE_IP host NATTED_DESTINATION_IP
5. Next setup the crypto map and apply it to the outside interface
crypto map OUTSIDE_map 50 match address CRYPTOACL crypto map OUTSIDE_map 50 set peer x.x.x.x crypto map OUTSIDE_map 50 set ikev1 transform-set ESP-AES-256-SHA ! crypto map OUTSIDE_map interface OUTSIDE
6. Wait, we’re not done yet. Here comes the important part. We need to setup the NAT statements.
If you are hosting a server that is the receiving end of the vpn traffic, you will need to use a static nat. This statement can also be used at the initiating end if you only have one host that needs to reach the other end.
nat (INSIDE,OUTSIDE) source static PRENAT_IP POSTNAT_IP destination static DESTINATION_IP DESTINATION_IP
If you are initiating the tunnel traffic, and have multiple clients you will want to use a NAT overload statement. Use a object group to define your source NAT traffic
object network INSIDE_VPN_PAT subnet PRENAT_IP 255.255.255.0 nat (INSIDE,OUTSIDE) dynamic POSTNAT_IP
That’s it. Make sure you test your VPN tunnel. If you are having troubles, make sure you check out my post on troubleshooting ipsec vpn tunnels here. Or if you need to implement an VPN access-list check out my post on implementing VPN filters.
If you are looking for an method of doing NAT on your VPN tunnel pre 8.3 please refer to my old post here: https://www.alfredtong.com/cisco/security-cisco/cisco-pixasa-site-to-site-ipsec-vpntunnel/