Tuesday, September 3, 2019

Cisco ASA VTI IKEv1 VPN with NAT.

Hello guys, I'm trying to set up a site to site VPN using VTI IKEv1 and it's working well.

Traffic can go from network 10.10.3.0/24 to network 192.168.1.0/24

But I don't quite understand how to NAT IP addresses to hide the real network range that sits behind.

What I want is traffic that comes from 10.10.3.0/24 to be NAT'd to a made-up IP say 10.10.10.1/32 and then that then NAT'd to 192.168.1.0/24 on the other side.

I've done this loads with NAT rules using encryption domains it appears this method does not work with VTI interfaces. Can someone point me in the correct direction?

My configs are below. I have a very basic config..

Site1

# Public IP 5.5.5.5 # Network 192.168.1.0/24 # VTI IP 15.15.15.6/24 # Steps # Can you ping peer? # ping 6.6.6.6 conf t crypto ikev1 enable OUTSIDE crypto ikev1 policy 20 authentication pre-share hash sha group 5 encryption aes-256 lifetime 86400 exit tunnel-group 6.6.6.6 type ipsec-l2l tunnel-group 6.6.6.6 ipsec-attributes ikev1 pre-shared-key cisco*123 exit crypto ipsec ikev1 transform-set SITE1-TRANSFORM esp-aes-256 esp-sha-hmac crypto ipsec profile SITE1-IPSEC-PROFILE set ikev1 transform-set SITE1-TRANSFORM set pfs group5 exit interface tunnel 10 nameif TO_SITE1 tunnel source interface OUTSIDE tunnel destination 6.6.6.6 tunnel mode ipsec ipv4 tunnel protection ipsec profile SITE1-IPSEC-PROFILE ip address 15.15.15.6 255.255.555.0 exit route TO_SITE1 10.10.3.0 255.255.255.0 15.15.15.5

Site 2

# Public IP 6.6.6.6 # Network 10.10.3.0/24 # VTI IP 15.15.15.5/24 # Steps # Can you ping peer? # ping 5.5.5.5 conf t crypto ikev1 enable OUTSIDE crypto ikev1 policy 30 authentication pre-share hash sha group 5 encryption aes-256 lifetime 86400 exit tunnel-group 5.5.5.5 type ipsec-l2l tunnel-group 5.5.5.5 ipsec-attributes ikev1 pre-shared-key cisco*123 exit crypto ipsec ikev1 transform-set SITE2-TRANSFORM esp-aes-256 esp-sha-hmac crypto ipsec profile SITE2-IPSEC-PROFILE set ikev1 transform-set SITE2-TRANSFORM set pfs group5 exit interface tunnel 20 nameif TO_SITE2 ip address 15.15.15.5 255.255.555.0 tunnel source interface OUTSIDE tunnel destination 5.5.5.5 tunnel mode ipsec ipv4 tunnel protection ipsec profile SITE2-IPSEC-PROFILE exit route TO_SITE2 192.168.1.0 255.255.255.0 15.15.15.6


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)