Here is the reason we need to NAT. We set up a DR site some while ago using 192.168.50.x (example) for the network. As we have grown, we have 10 or more class C (192.168.X.0/24) networks at our main site, we have to put each one of these in our VPN configuration for now more than 20 remote sites.
June 3, 2013I’ve written a post on how to setup a Cisco ASA site to site VPN tunnel here on pre 8.3 firmware. Now I’m going to write about how to make a VPN tunnel on post 8.3 firmware with emphasis on performing NAT within a site to site VPN tunnel.
Often times when establishing a VPN relationship with a 3rd party, we may bump into cases of overlapping internal network subnets. The best practice is for both parties to NAT the traffic to a public IP address for the traffic that is destined for the VPN tunnel. Of course, you should be the owner of the public IP.
Like implementing NAT for internet traffic, you must determine if you are the initiating party or the receiving party, as this determines which type of NAT you are going to use – NAT overload or static NAT.
1. First off lets setup the tunnel. First define the phase 1 IKE parameters used in the ISAKMP policy.
2. Then define the tunnel group, where x.x.x.x is peer ip address. The pre-shared key is also defined here.
Enable isakmp on the your outside interface if you haven’t already
3. Now define the phase 2 IPSEC transform. I’ve giving the name of the transform set ESP-AES-256-SHA as it uses AES-256 and SHA-1.
4. Define the crypto acl that will be used for the VPN traffic. Pay close attention to the SOURCE and DESTINATION used here. You want to use the POST NAT IP address for the hosts used. This would be the SOURCE and DESTINATION public ip addresses in the tunnel
5. Next setup the crypto map and apply it to the outside interface
6. Wait, we’re not done yet. Here comes the important part. We need to setup the NAT statements.
If you are hosting a server that is the receiving end of the vpn traffic, you will need to use a static nat. This statement can also be used at the initiating end if you only have one host that needs to reach the other end.
If you are hosting a server that is the receiving end of the vpn traffic, you will need to use a static nat. This statement can also be used at the initiating end if you only have one host that needs to reach the other end.
If you are initiating the tunnel traffic, and have multiple clients you will want to use a NAT overload statement. Use a object group to define your source NAT traffic
That’s it. Make sure you test your VPN tunnel. If you are having troubles, make sure you check out my post on troubleshooting ipsec vpn tunnels here. Or if you need to implement an VPN access-list check out my post on implementing VPN filters.
If you are looking for an method of doing NAT on your VPN tunnel pre 8.3 please refer to my old post here: https://www.alfredtong.com/cisco/security-cisco/cisco-pixasa-site-to-site-ipsec-vpntunnel/