ASA Site to Site VPN (PATed)

If you ever needed to hide multiple systems behind a single IP address you would use PAT. (Port Address Translation) besides using this to connect to the internet when using an RFC 1918 address, you can configure PAT for VPN connections. The benefit is the same, hide multiple systems behind a single IP address with the advantage being you can have many systems on one side of the VPN tunnel all using that single IP.

In this example, we have a site to site VPN connection one side using a PATed public IP address. We originally have two systems that will be sending data over to Contoso who is the remote peer in this example. We are planning on adding additional systems in the future which is why Acme Corp is using a PATed address outbound. Contoso is expected to send data back to Acme Corp which will also be reflected in this example. Also note that the "public" IP addresses listed in this example are from RFC 5737 and are not publicly available. We have a need to setup a VPN to a partner and have agreed using a public IP address over the VPN connection. We are going to have multiple systems on the local side sending information over to this partner and because of that we're going to be using a single public PATed address instead of assigning multiple static NATed IPs to each system. The table below goes over the agreed settings and what networks are protected.

Acme Corp	Contoso Ltd.
Peer IP Address: 192.0.2.10	Peer IP Address: 203.0.113.10
Phase 1: AES 256 SHA (Group 2)	Phase 1: AES 256 SHA (Group 2)
Phase 2: AES 128 SHA	Phase 2: AES 128 SHA
PFS: No	PFS: No
Protected Networks: 192.0.2.100/32 - _{^{PATed IP Address. 192.0.2.50/32 - IP Address Contoso will use when sending data to Acme.}}	Protected Networks: 203.0.113.30/32 - _{^{IP Address Acme will use when sending data to Contoso 203.0.113.50/32 - Contoso's source address when sending data back to Acme.}}
Preshared Key: cisco	Preshared Key: cisco

Here is the topology for reference: Site To Site VPN Example

Let's start building the tunnel for Acme by creating some object groups:

object network ACCORP-DMZ-SERVER-1
 host 10.254.254.10
object network Public-IP-192.0.2.100
 host 192.0.2.100
object network VPN-CONTOSO-CLIENT-1
 host 203.0.113.30
object network ACCORP-DMZ-SERVER-2
 host 10.254.254.20
object network ACCORP-DMZ-LB-1
 host 10.254.254.30
object network Public-IP-192.0.2.50
 host 192.0.2.50
object network VPN-CONTOSO-CLIENT-2
 host 203.0.113.50
object-group network ACCORP-DMZ-SERVERS
 network-object object ACCORP-DMZ-SERVER-2
 network-object object ACCORP-DMZ-SERVER-1
object-group network VPN-REMOTE-ACCORP-CONTOSO
 network-object object VPN-CONTOSO-CLIENT-1
 network-object object VPN-CONTOSO-CLIENT-2
object-group network VPN-LOCAL-ACCORP-CONTOSO
 network-object object Public-IP-192.0.2.100
 network-object object Public-IP-192.0.2.50

Create an access control list to match the traffic we want protected, these IP addresses would be the NAT address, so we referencing the object-groups.

access-list ACL-VPN-ACCORP-CONTOSO extended permit ip object-group VPN-LOCAL-ACCORP-CONTOSO

We have to create some NAT rules for Acme. On line one I'm creating a single PAT entry to hide the multiple DMZ servers under one IP address when traffic is going to Contoso. Line two is static entry for traffic inbound from Contoso.

nat (DMZ,Outside) source dynamic ACCORP-DMZ-SERVERS Public-IP-192.0.2.100 destination static VPN-CONTOSO-CLIENT-1 VPN-CONTOSO-CLIENT-1
nat (Outside,DMZ) source static VPN-CONTOSO-CLIENT-2 VPN-CONTOSO-CLIENT-2 destination static Public-IP-192.0.2.50 ACCORP-DMZ-LB-1 no-proxy-arp

Create a VPN Group Policy for Acme and Contoso VPN connection:

group-policy GP-VPN-ACCORP-CONTOSO internal group-policy GP-VPN-ACCORP-CONTOSO attributes vpn-tunnel-protocol ikev1

Create the tunnel group:

tunnel-group 203.0.113.10 type ipsec-l2l tunnel-group 203.0.113.10 general-attributes default-group-policy GP-VPN-ACCORP-CONTOSO
tunnel-group 203.0.113.10 ipsec-attributes ikev1 pre-shared-key cisco isakmp keepalive disable

Build the cryptomap:

crypto map CM-ACCORP-CONTOSO 1 match address ACL-VPN-ACCORP-CONTOSO
crypto map CM-ACCORP-CONTOSO 1 set peer 203.0.113.10
crypto map CM-ACCORP-CONTOSO 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CM-ACCORP-CONTOSO 1 set nat-t-disable
crypto map CM-ACCORP-CONTOSO interface Outside

That's all you need from the Acme side to turn up this tunnel, let's jump to Contoso's side and configure the tunnel on that side. Jumping on to the Contoso ASA, create some object groups.

object network CONTOSO-DMZ-SERVER-1
 host 172.31.255.10
object network PUBLIC-203.0.113.30
 host 203.0.113.30
object network VPN-ACME-CLIENT-1
 host 192.0.2.100
object network VPN-ACME-CLIENT-2
 host 192.0.2.50
object network PUBLIC-203.0.113.50
 host 203.0.113.50
object-group network VPN-LOCAL-CONTOSO-ACME
 network-object object PUBLIC-203.0.113.30
 network-object object PUBLIC-203.0.113.50
object-group network VPN-REMOTE-CONTOSO-ACME
 network-object object VPN-ACME-CLIENT-1
 network-object object VPN-ACME-CLIENT-2

Just like on the other side we have to create an access control list to match the traffic we want protected for Contoso.

access-list ACL-VPN-CONTOSO-ACME extended permit ip object-group VPN-LOCAL-CONTOSO-ACME object-group VPN-REMOTE-CONTOSO-ACME

Create some NAT rules, these are going to static NATs on this side.

nat (Outside,DMZ) source static VPN-ACME-CLIENT-1 VPN-ACME-CLIENT-1 destination static PUBLIC-203.0.113.30 CONTOSO-DMZ-SERVER-1 no-proxy-arp
nat (DMZ,Outside) source static CONTOSO-DMZ-SERVER-1 PUBLIC-203.0.113.50 destination static VPN-ACME-CLIENT-2 VPN-ACME-CLIENT-2 no-proxy-arp

Create a VPN group policy for Contoso:

group-policy GP-VPN-ACME-CONTOSO internal group-policy GP-VPN-ACME-CONTOSO attributes vpn-tunnel-protocol ikev1

Create the tunnel group for Contoso:

tunnel-group 192.0.2.10 type ipsec-l2l tunnel-group 192.0.2.10 general-attributes default-group-policy GP-VPN-ACME-CONTOSO
tunnel-group 192.0.2.10 ipsec-attributes ikev1 pre-shared-key cisco isakmp keepalive disable\

Finally build the crypto map:

crypto map CM-CONTOSO-ACME 1 match address ACL-VPN-CONTOSO-ACME
crypto map CM-CONTOSO-ACME 1 set peer 192.0.2.10
crypto map CM-CONTOSO-ACME 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CM-CONTOSO-ACME 1 set nat-t-disable
crypto map CM-CONTOSO-ACME interface Outside

We can do a some verification tests, If I jump on 10.254.254.20 which is one of the servers in Acme Corp. I'll try to do a ping test over to Contoso and see if I get any replies back.

cisco@ACCORP-DMZ-Server-2:~$ ping 203.0.113.30
PING 203.0.113.30 (203.0.113.30) 56(84) bytes of data.
64 bytes from 203.0.113.30: icmp_seq=2 ttl=64 time=3.08 ms
64 bytes from 203.0.113.30: icmp_seq=3 ttl=64 time=1.52 ms
64 bytes from 203.0.113.30: icmp_seq=4 ttl=64 time=2.39 ms
64 bytes from 203.0.113.30: icmp_seq=5 ttl=64 time=1.94 ms
64 bytes from 203.0.113.30: icmp_seq=6 ttl=64 time=2.08 ms
64 bytes from 203.0.113.30: icmp_seq=7 ttl=64 time=3.38 ms
64 bytes from 203.0.113.30: icmp_seq=8 ttl=64 time=2.78 ms
64 bytes from 203.0.113.30: icmp_seq=9 ttl=64 time=3.16 ms
64 bytes from 203.0.113.30: icmp_seq=10 ttl=64 time=1.81 ms
^C
--- 203.0.113.30 ping statistics ---
10 packets transmitted, 9 received, 10% packet loss, time 9018ms
rtt min/avg/max/mdev = 1.525/2.465/3.389/0.627 ms
cisco@ACCORP-DMZ-Server-2:~$

Looking at the output, I lost one ping packet but that's likely because the tunnel was not up yet when that first ping packet transmitted over. I'll jump on the Contoso system and see if I can hit the Acme load server.

cisco@CONTOSO-DMZ-Server-1:~$ ping 192.0.2.50
PING 192.0.2.50 (192.0.2.50) 56(84) bytes of data.
64 bytes from 192.0.2.50: icmp_seq=2 ttl=64 time=1.82 ms
64 bytes from 192.0.2.50: icmp_seq=3 ttl=64 time=1.82 ms
64 bytes from 192.0.2.50: icmp_seq=4 ttl=64 time=1.84 ms
64 bytes from 192.0.2.50: icmp_seq=5 ttl=64 time=1.69 ms
64 bytes from 192.0.2.50: icmp_seq=6 ttl=64 time=1.72 ms
64 bytes from 192.0.2.50: icmp_seq=7 ttl=64 time=1.74 ms
64 bytes from 192.0.2.50: icmp_seq=8 ttl=64 time=2.16 ms
64 bytes from 192.0.2.50: icmp_seq=9 ttl=64 time=3.86 ms
64 bytes from 192.0.2.50: icmp_seq=10 ttl=64 time=1.70 ms
64 bytes from 192.0.2.50: icmp_seq=11 ttl=64 time=2.82 ms
^C
--- 192.0.2.50 ping statistics ---
11 packets transmitted, 10 received, 9% packet loss, time 10025ms
rtt min/avg/max/mdev = 1.697/2.121/3.863/0.667 ms
cisco@R-DMZ-Server-2:~$

It looks like I can hit the Acme load server! We can also finally check both firewalls to verify a VPN is indeed established. On Acme Firewall:

ASA-1# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 203.0.113.10
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

On Contoso Firewall:

ASA-2# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.0.2.10
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

That's all I got, I hope this information is helpful. If you are using Cisco VIRL/CML here is a link on GitHub