Cisco VPN Multiple or Overlapping L2L Tunnels Using NAT
This post will have the details on how to configure multiple or overlapping tunnels which use NAT while having an existing one already created. This will effectively show you how to create multiple L2L tunnels to completely different networks and how to setup the access-list rules to make sure your traffic gets to where it needs to go. This has been one of the more difficult VPN configuration that I have seen so far.
Begin by first setting up an access-list for interesting traffic. The world interesting in the Cisco context means any traffic that is bound for the VPN. Then you will configure any other ACL rules that you want. After that you must define your crypto maps. Crypto maps are the instructions for how the VPN work. They include encryption, hashing, who their talking to and what access-list rules to use. After that you define tunnel-group attributes which are the pre-shared key if one is used. This first code block will feature the use of a static NAT example. Static NAT is used in the situation of a single host mapping to a single outside IP. For example, if you had a local server at 192.168.1.2 and you wanted outside to inside access to this server from its 1.1.1.9 outside IP address on all ports, then you would define a static NAT rule in the ASA to accommodate this. If this is foreign to you and you want a blog entry on it specifically, drop me a line in the comments. In the following example, here is the break down of IP’s and locations:
Site A is a Pre-configured L2L Vpn that you need to connect to. At site A, they use a local Subnet of 192.168.7.0/24. They have given you a NAT IP address for your outside interface of 10.2.2.2. Their Outside IP address of their ASA is 1.1.1.7. Your internal network is 192.168.1.0/24. Your server that needs to talk to the other side is 192.168.1.2 What you are trying to accomplish is to get to 192.168.7.0/24 resources by NATing through 10.2.2.2 while giving Site A access back to your server at 192.168.1.2
! Access list for our interesting traffic. This is traffic that goes from the NAT to the other side of the VPN.
access-list vpn1 extended permit ip host 10.2.2.2 192.168.7.0 255.255.255.0
! Access List to allow traffic from the local server to the other side of the VPN and to allow traffic
access-list static-vpn1 extended permit ip host 192.168.1.2 192.168.7.0 255.255.255.0
! Setup the encryption transform-set
crypto ipsec transform-set newset esp-3des esp-md5-hmac
! Crypto map configuration that will match Site A, starting with match address to match interesting traffic
crypto map newmap 1 match address vpn1
crypto map newmap 1 set peer 1.1.1.7
! Set the crypto map to use the transform set
crypto map newmap 1 set transform-set newset
crypto map newmap interface outside
crypto isakmp enable outside
! These settings will come from your Site A configuration, match that.
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
! Static will configure your Static NAT from your access list (local subnet to remote VPN subnet) through the outside interfaces NAT address
static (inside,outside) 10.2.2.2 access-list static-vpn1
! And now for the tunnel-group configuration
tunnel-group 1.1.1.7 type ipsec-l2l
tunnel-group 1.1.1.7 ipsec-attributes
pre-shared-key [Match Pre-shared Key]
Now if everything went well you now have a functioning tunnel to Site A. Test it by pinging. I am going to write an article on advanced VPN troubleshooting one of these days because Cisco is quite cryptic and difficult to troubleshoot if the VPN doesn’t come up. For now I’ll assume all went well.
Now it is time to program the second VPN. This VPN will be much the same as the last, but instead of seeking local access to only one machine, we want the whole subnet to access resources across the VPN. But we do not want the other side of the VPN talking back to our local machines. This is made possible by a Global NAT or Dynamic NAT policy. This is much the same as the policy on your home generic wireless router. It provides you NAT to the internet, but it is difficult for traffic to come back to your network unless you allow it. The IP’s for the local network will stay the same, but the remote and NAT address are different. The remote side of the VPN has a local subnet of 172.16.4.0/24. The remote side has provided you a NAT address of 10.10.10.4. Their Peer address is 2.2.2.4.
There are a few caveats that I am going to save you alot of trouble I found out the hard way. The first deals with crypto maps. You can not define a new crypto map name for a new VPN, you must use the same map name as you used previously, but you must change the priority (the number next to the map name). The second is creating a NAT rule to stop traffic from going to the internet across the ASA. When doing this, if you already have existing NAT rules (besides 0.0.0.0 default rule) then you must use that ACL to define it. Only one NAT rule ACL will work, all others drop. If you need clarification on this, type show run | in nat and if you see more than 2 lines of NAT listed and you are not sure what you are doing, then you are doing it wrong. Remove one of the NAT lines and combine access-lists. The rules are very similar to our previous one, I’ll give the play by play again:
! Access list for our interesting traffic. This is traffic that goes from the NAT to the other side of the VPN.
access-list new-vpn extended permit ip host 10.10.10.4 172.16.4.0 255.255.255.0
! Access List to allow traffic from the local subnet to the remote subnet
access-list new-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.4.0 255.255.255.0
! Setup access-list to stop traffic from going over the primary NAT to the internet
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.4.0 255.255.255.0
! Setup the encryption transform-set
crypto ipsec transform-set another-set esp-3des esp-sha-hmac
! Crypto map configuration that will match Site A, starting with match address to match interesting traffic
crypto map newmap 1 match address new-vpn
crypto map newmap 1 set peer 2.2.2.4
! Set the crypto map to use the transform set
crypto map newmap 1 set transform-set another-set
! These settings will come from your next remote sites configuration, match that.
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
! Global will setup the interface to do a Dynamic NAT of all local traffic to remote NAT
global (outside) 2 192.168.204.33 netmask 255.255.255.0
! NAT rule to stop traffic destine for the VPN to go out over the primary outside interface. Make sure it goes over the VPN
nat (inside) 2 access-list inside_nat_outbound
! And now for the tunnel-group configuration
tunnel-group 2.2.2.4 type ipsec-l2l
tunnel-group 2.2.2.4 ipsec-attributes
pre-shared-key [Match Pre-shared Key]
Now if everything has gone well, then you have got yourself 2 functioning L2L tunnels to two separate networks. If things didn’t go well, then you’ll have to wait for my trouble shooting guide which will be coming shortly. Or you could leave me a message int he comments and I’ll get back with you.
I hope you have enjoyed my guide to setting up multiple L2L VPN’s and have found this useful. Good LUCK!
Cheers,
Mike