Daren Matthews

Home > CISCO, Security > Peer-to-Peer IPSec VPN using PAT

Peer-to-Peer IPSec VPN using PAT

February 28th, 2014

There may be an occasion to setup a site-to-site VPN with a customer or partner network but due to the risk of overlapping private RFC1918 address space, to use a single public address and Port Address Translation. This methos uses a single IP address in a NAT (PAT) object. This example uses simplified NAT available from ASA software version 8.3+

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
ccrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp enable outside

crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800

object network REMOTE-VPN-ENCRYPT-DOMAIN
subnet 215.128.239.128 255.255.255.128
object network REMOTE-DR-VPN-ENCRYPT-DOMAIN
subnet 215.128.232.128 255.255.255.128
object network LOCAL-VPN-ENCRYPT-DOMAIN
subnet 172.23.128.0 255.255.252.0

object-group network LOCAL-VPN-NAT-OBJECT
description provide NAT with port address translation
network-object host 191.21.34.193

access-list REMOTE-VPN-INTERESTING-TRAFFIC extended permit ip object-group LOCAL-VPN-NAT-OBJECT object REMOTE-VPN-ENCRYPT-DOMAIN log
access-list REMOTE-VPN-INTERESTING-TRAFFIC remark a typical production site

access-list REMOTE-DR-VPN-INTERESTING-TRAFFIC extended permit ip object-group LOCAL-VPN-NAT-OBJECT object REMOTE-DR-VPN-ENCRYPT-DOMAIN log
access-list REMOTE-DR-VPN-INTERESTING-TRAFFIC remark a typical backup or Disaster Recovery site

nat (inside,outside) source dynamic LOCAL-VPN-ENCRYPT-DOMAIN LOCAL-VPN-NAT-OBJECT destination static REMOTE-VPN-ENCRYPT-DOMAIN REMOTE-VPN-ENCRYPT-DOMAIN
nat (inside,outside) source dynamic LOCAL-VPN-ENCRYPT-DOMAIN LOCAL-VPN-NAT-OBJECT destination static REMOTE-DR-VPN-ENCRYPT-DOMAIN REMOTE-DR-VPN-ENCRYPT-DOMAIN

crypto map LOCAL-VPN-CRYPTO-MAP 1 match address REMOTE-VPN-INTERESTING-TRAFFIC
crypto map LOCAL-VPN-CRYPTO-MAP 1 set pfs
crypto map LOCAL-VPN-CRYPTO-MAP 1 set peer 215.128.226.145
crypto map LOCAL-VPN-CRYPTO-MAP 1 set transform-set ESP-AES-128-SHA ESP-3DES-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5
crypto map LOCAL-VPN-CRYPTO-MAP 1 set security-association lifetime seconds 3600
crypto map LOCAL-VPN-CRYPTO-MAP 2 match address REMOTE-DR-VPN-INTERESTING-TRAFFIC
crypto map LOCAL-VPN-CRYPTO-MAP 2 set pfs
crypto map LOCAL-VPN-CRYPTO-MAP 2 set peer 215.128.232.92
crypto map LOCAL-VPN-CRYPTO-MAP 2 set transform-set ESP-AES-128-SHA ESP-3DES-SHA
crypto map LOCAL-VPN-CRYPTO-MAP 2 set security-association lifetime seconds 3600
crypto map LOCAL-VPN-CRYPTO-MAP interface outside

Categories: CISCO, Security Tags: asa, firewall, ipsec

Comments are closed.

SSL/TLS Handshake and Record Data Protocol Batch File to append entry to hosts file on local or remote PC

Peer-to-Peer IPSec VPN using PAT

Categories

Find any topic on this site:

Last Fifteen Posts

Archives

Meta