Peer-to-Peer IPSec VPN using PAT
There may be an occasion to setup a site-to-site VPN with a customer or partner network but due to the risk of overlapping private RFC1918 address space, to use a single public address and Port Address Translation. This methos uses a single IP address in a NAT (PAT) object. This example uses simplified NAT available from ASA software version 8.3+
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
ccrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800object network REMOTE-VPN-ENCRYPT-DOMAIN
subnet 215.128.239.128 255.255.255.128
object network REMOTE-DR-VPN-ENCRYPT-DOMAIN
subnet 215.128.232.128 255.255.255.128
object network LOCAL-VPN-ENCRYPT-DOMAIN
subnet 172.23.128.0 255.255.252.0object-group network LOCAL-VPN-NAT-OBJECT
description provide NAT with port address translation
network-object host 191.21.34.193access-list REMOTE-VPN-INTERESTING-TRAFFIC extended permit ip object-group LOCAL-VPN-NAT-OBJECT object REMOTE-VPN-ENCRYPT-DOMAIN log
access-list REMOTE-VPN-INTERESTING-TRAFFIC remark a typical production siteaccess-list REMOTE-DR-VPN-INTERESTING-TRAFFIC extended permit ip object-group LOCAL-VPN-NAT-OBJECT object REMOTE-DR-VPN-ENCRYPT-DOMAIN log
access-list REMOTE-DR-VPN-INTERESTING-TRAFFIC remark a typical backup or Disaster Recovery sitenat (inside,outside) source dynamic LOCAL-VPN-ENCRYPT-DOMAIN LOCAL-VPN-NAT-OBJECT destination static REMOTE-VPN-ENCRYPT-DOMAIN REMOTE-VPN-ENCRYPT-DOMAIN
nat (inside,outside) source dynamic LOCAL-VPN-ENCRYPT-DOMAIN LOCAL-VPN-NAT-OBJECT destination static REMOTE-DR-VPN-ENCRYPT-DOMAIN REMOTE-DR-VPN-ENCRYPT-DOMAINcrypto map LOCAL-VPN-CRYPTO-MAP 1 match address REMOTE-VPN-INTERESTING-TRAFFIC
crypto map LOCAL-VPN-CRYPTO-MAP 1 set pfs
crypto map LOCAL-VPN-CRYPTO-MAP 1 set peer 215.128.226.145
crypto map LOCAL-VPN-CRYPTO-MAP 1 set transform-set ESP-AES-128-SHA ESP-3DES-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5
crypto map LOCAL-VPN-CRYPTO-MAP 1 set security-association lifetime seconds 3600
crypto map LOCAL-VPN-CRYPTO-MAP 2 match address REMOTE-DR-VPN-INTERESTING-TRAFFIC
crypto map LOCAL-VPN-CRYPTO-MAP 2 set pfs
crypto map LOCAL-VPN-CRYPTO-MAP 2 set peer 215.128.232.92
crypto map LOCAL-VPN-CRYPTO-MAP 2 set transform-set ESP-AES-128-SHA ESP-3DES-SHA
crypto map LOCAL-VPN-CRYPTO-MAP 2 set security-association lifetime seconds 3600
crypto map LOCAL-VPN-CRYPTO-MAP interface outside