This article addresses both 8.2 and earlier configurations as well as 8.3 and 8.4 configurations. If you have a desire to get a deeper understanding of the changes in the 8.3/8.4 versions, I encourage you to compare the configuration to that of the more familiar 8.2. For this article, we will be solving the problem of building a VPN between our enterprise network and an outside business partner that has an overlapping 192.168.1.x/24 address space. The secure tunnel will be established between the two firewalls in the image below.
From the perspective of the business partner, our network will look like it is 192.168.2.x/24. Therefore the ouside party doesn’t even need to know that we are using 192.168.1.x/24. To access the partner’s 192.168.1.x/24 network, we will send traffic to 192.168.3.x, where x is the host we desire to reach on their 192.168.1.x/24 network.
Since NAT has very different configuration syntax starting in 8.3, this article is broken into two sections.
Example of VPN with Overlapping addresses:
ASA 8.2 Syntax
ASA 8.3 and later Syntax
VPN with Overlapping Addresses (NAT 8.2 Syntax)
ciscoasa# show run
: Saved
:
ASA Version 8.2(1)
!
<snip for brevity>
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
<snip for brevity>
!
//crypto acl–attached to crypto map
access-list L2LAccessList extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!
//policy nat acl–attached to static
access-list SRC_Translation extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
!
<snip for brevity>
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
//policy nat translation
//translates a source of
//192.168.1.x/24 to
//192.168.2.0/24 only when
//the destination is 192.168.3.0/24
static (inside,outside) 192.168.2.0 access-list SRC_Translation
!
//outbound packets going to
//192.168.3.0/24 should have
//the destination changed
//to 192.168.1.0/24
static (outside,inside) 192.168.3.0 192.168.1.0 netmask 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
<snip for brevity>
!
//vpn configuration
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
<snip for brevity>
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key cisco
!
class-map inspection_default
match default-inspection-traffic
!
!
<snip for brevity>
!
VPN with Overlapping Addresses (NAT 8.3 and later Syntax)
ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
!
//object groups to be used
//in nat configuration (below)
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
//crypto ACL
access-list L2LAccessList extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!
//policy nat acl remnant of
//upgrade–no longer needed
access-list SRC_Translation extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
!
!
//policy nat translation
//translates a source of
//192.168.1.x/24 to
//192.168.2.0/24 only when
//the destination is 192.168.3.0/24
nat (inside,outside) source static obj-192.168.1.0 obj-192.168.2.0 destination static obj-192.168.3.0 obj-192.168.1.0
!
//translate destinations of
//192.168.3.0/24 to 192.168.1.0/24
//reference the objects above
object network obj-192.168.1.0
nat (outside,inside) static 192.168.3.0
!
//PAT all other traffic to
//interface IP
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
!
!
//VPN Configuration
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
!
: end
ciscoasa#
VPN configurations alone have many challenges. Layering on the additional challenges of overlapping addressing forces the understanding of the order of processing. This is required to correctly identify the traffic for encryption. The examples above should serve as good starting points for anyone that needs to build a VPN and must deal with the challenges of overlapping networks.
No comments:
Post a Comment