{"id":1995,"date":"2014-02-28T12:27:43","date_gmt":"2014-02-28T12:27:43","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1995"},"modified":"2014-02-28T12:28:18","modified_gmt":"2014-02-28T12:28:18","slug":"peer-to-peer-ipsec-vpn-using-pat","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1995","title":{"rendered":"Peer-to-Peer IPSec VPN using PAT"},"content":{"rendered":"<p>There may be an occasion to setup a site-to-site VPN with a customer or partner network but due to the risk of overlapping private RFC1918 address space, to use a single public address and Port Address Translation.\u00a0 This methos uses a single IP address in a NAT (PAT) object.\u00a0 This example uses simplified NAT available from\u00a0 ASA software version 8.3+<\/p>\n<blockquote><p>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac<br \/>\nccrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac <!--more-->crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac<br \/>\ncrypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac<br \/>\ncrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac<br \/>\ncrypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac<br \/>\ncrypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac<br \/>\ncrypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac<br \/>\ncrypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac<br \/>\ncrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac<br \/>\ncrypto ipsec security-association lifetime seconds 28800<br \/>\ncrypto ipsec security-association lifetime kilobytes 4608000<\/p>\n<p>crypto isakmp enable outside<\/p>\n<p>crypto isakmp policy 5<br \/>\nauthentication pre-share<br \/>\nencryption aes<br \/>\nhash sha<br \/>\ngroup 2<br \/>\nlifetime 28800<br \/>\ncrypto isakmp policy 10<br \/>\nauthentication pre-share<br \/>\nencryption 3des<br \/>\nhash sha<br \/>\ngroup 2<br \/>\nlifetime 28800<\/p>\n<p>object network REMOTE-VPN-ENCRYPT-DOMAIN<br \/>\nsubnet 215.128.239.128 255.255.255.128<br \/>\nobject network REMOTE-DR-VPN-ENCRYPT-DOMAIN<br \/>\nsubnet 215.128.232.128 255.255.255.128<br \/>\nobject network LOCAL-VPN-ENCRYPT-DOMAIN<br \/>\nsubnet 172.23.128.0 255.255.252.0<\/p>\n<p>object-group network LOCAL-VPN-NAT-OBJECT<br \/>\ndescription provide NAT with port address translation<br \/>\nnetwork-object host 191.21.34.193<\/p>\n<p>access-list REMOTE-VPN-INTERESTING-TRAFFIC extended permit ip object-group LOCAL-VPN-NAT-OBJECT object REMOTE-VPN-ENCRYPT-DOMAIN log<br \/>\naccess-list REMOTE-VPN-INTERESTING-TRAFFIC remark a typical production site<\/p>\n<p>access-list REMOTE-DR-VPN-INTERESTING-TRAFFIC extended permit ip object-group LOCAL-VPN-NAT-OBJECT object REMOTE-DR-VPN-ENCRYPT-DOMAIN log<br \/>\naccess-list REMOTE-DR-VPN-INTERESTING-TRAFFIC remark a typical backup or Disaster Recovery site<\/p>\n<p>nat (inside,outside) source dynamic LOCAL-VPN-ENCRYPT-DOMAIN LOCAL-VPN-NAT-OBJECT destination static REMOTE-VPN-ENCRYPT-DOMAIN REMOTE-VPN-ENCRYPT-DOMAIN<br \/>\nnat (inside,outside) source dynamic LOCAL-VPN-ENCRYPT-DOMAIN LOCAL-VPN-NAT-OBJECT destination static REMOTE-DR-VPN-ENCRYPT-DOMAIN REMOTE-DR-VPN-ENCRYPT-DOMAIN<\/p>\n<p>crypto map LOCAL-VPN-CRYPTO-MAP 1 match address REMOTE-VPN-INTERESTING-TRAFFIC<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 1 set pfs<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 1 set peer 215.128.226.145<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 1 set transform-set ESP-AES-128-SHA ESP-3DES-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 1 set security-association lifetime seconds 3600<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 2 match address REMOTE-DR-VPN-INTERESTING-TRAFFIC<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 2 set pfs<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 2 set peer 215.128.232.92<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 2 set transform-set ESP-AES-128-SHA ESP-3DES-SHA<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP 2 set security-association lifetime seconds 3600<br \/>\ncrypto map LOCAL-VPN-CRYPTO-MAP interface outside<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>There may be an occasion to setup a site-to-site VPN with a customer or partner network but due to the risk of overlapping private RFC1918 address space, to use a single public address and Port Address Translation.\u00a0 This methos uses a single IP address in a NAT (PAT) object.\u00a0 This example uses simplified NAT available [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83,13],"tags":[35,34,36],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1995"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1995"}],"version-history":[{"count":2,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1995\/revisions"}],"predecessor-version":[{"id":1997,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1995\/revisions\/1997"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1995"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1995"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1995"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}