ASA Site to Site VPN (PATed)

If you ever needed to hide multiple systems behind a single IP address you would use PAT. (Port Address Translation) besides using this to connect to the internet when using an RFC 1918 address, you can configure PAT for VPN connections. The benefit is the same, hide multiple systems behind a single IP address with the advantage being you can have many systems on one side of the VPN tunnel all using that single IP.

In this example, we have a site to site VPN connection one side using a PATed public IP address. We originally have two systems that will be sending data over to Contoso  who is the remote peer in this example. We are planning on adding additional systems in the future which is why Acme Corp is using a PATed address outbound. Contoso is expected to send data back to Acme Corp which will also be reflected in this example. Also note that the "public" IP addresses listed in this example are from RFC 5737 and are not publicly available. We have a need to setup a VPN to a partner and have agreed using a public IP address over the VPN connection. We are going to have multiple systems on the local side sending information over to this partner and because of that we're going to be using a single public PATed address instead of assigning multiple static NATed IPs to each system. The table below goes over the agreed settings and what networks are protected.

Acme Corp Contoso Ltd.
Peer IP Address: 192.0.2.10 Peer IP Address: 203.0.113.10
Phase 1: AES 256 SHA (Group 2) Phase 1: AES 256 SHA (Group 2)
Phase 2: AES 128 SHA Phase 2: AES 128 SHA
PFS: No PFS: No
Protected Networks: 192.0.2.100/32 - PATed IP Address. 192.0.2.50/32 - IP Address Contoso will use when sending data to Acme. Protected Networks: 203.0.113.30/32 - IP Address Acme will use when sending data to Contoso 203.0.113.50/32 - Contoso's source address when sending data back to Acme.
Preshared Key: cisco Preshared Key: cisco

Here is the topology for reference:

Site To Site VPN Example

Let's start building the tunnel for Acme by creating some object groups:

 1object network ACCORP-DMZ-SERVER-1
 2 host 10.254.254.10
 3object network Public-IP-192.0.2.100
 4 host 192.0.2.100
 5object network VPN-CONTOSO-CLIENT-1
 6 host 203.0.113.30
 7object network ACCORP-DMZ-SERVER-2
 8 host 10.254.254.20
 9object network ACCORP-DMZ-LB-1
10 host 10.254.254.30
11object network Public-IP-192.0.2.50
12 host 192.0.2.50
13object network VPN-CONTOSO-CLIENT-2
14 host 203.0.113.50
15object-group network ACCORP-DMZ-SERVERS
16 network-object object ACCORP-DMZ-SERVER-2
17 network-object object ACCORP-DMZ-SERVER-1
18object-group network VPN-REMOTE-ACCORP-CONTOSO
19 network-object object VPN-CONTOSO-CLIENT-1
20 network-object object VPN-CONTOSO-CLIENT-2
21object-group network VPN-LOCAL-ACCORP-CONTOSO
22 network-object object Public-IP-192.0.2.100
23 network-object object Public-IP-192.0.2.50

Create an access control list to match the traffic we want protected, these IP addresses would be the NAT address, so we referencing the object-groups.

1access-list ACL-VPN-ACCORP-CONTOSO extended permit ip object-group VPN-LOCAL-ACCORP-CONTOSO

We have to create some NAT rules for Acme. On line one I'm creating a single PAT entry to hide the multiple DMZ servers under one IP address when traffic is going to Contoso. Line two is static entry for traffic inbound from Contoso.

1nat (DMZ,Outside) source dynamic ACCORP-DMZ-SERVERS Public-IP-192.0.2.100 destination static VPN-CONTOSO-CLIENT-1 VPN-CONTOSO-CLIENT-1
2nat (Outside,DMZ) source static VPN-CONTOSO-CLIENT-2 VPN-CONTOSO-CLIENT-2 destination static Public-IP-192.0.2.50 ACCORP-DMZ-LB-1 no-proxy-arp

Create a VPN Group Policy for Acme and Contoso VPN connection:

1group-policy GP-VPN-ACCORP-CONTOSO internal group-policy GP-VPN-ACCORP-CONTOSO attributes vpn-tunnel-protocol ikev1

Create the tunnel group:

1tunnel-group 203.0.113.10 type ipsec-l2l tunnel-group 203.0.113.10 general-attributes default-group-policy GP-VPN-ACCORP-CONTOSO
2tunnel-group 203.0.113.10 ipsec-attributes ikev1 pre-shared-key cisco isakmp keepalive disable

Build the cryptomap:

1crypto map CM-ACCORP-CONTOSO 1 match address ACL-VPN-ACCORP-CONTOSO
2crypto map CM-ACCORP-CONTOSO 1 set peer 203.0.113.10
3crypto map CM-ACCORP-CONTOSO 1 set ikev1 transform-set ESP-AES-128-SHA
4crypto map CM-ACCORP-CONTOSO 1 set nat-t-disable
5crypto map CM-ACCORP-CONTOSO interface Outside

That's all you need from the Acme side to turn up this tunnel, let's jump to Contoso's side and configure the tunnel on that side. Jumping on to the Contoso ASA, create some object groups.

 1object network CONTOSO-DMZ-SERVER-1
 2 host 172.31.255.10
 3object network PUBLIC-203.0.113.30
 4 host 203.0.113.30
 5object network VPN-ACME-CLIENT-1
 6 host 192.0.2.100
 7object network VPN-ACME-CLIENT-2
 8 host 192.0.2.50
 9object network PUBLIC-203.0.113.50
10 host 203.0.113.50
11object-group network VPN-LOCAL-CONTOSO-ACME
12 network-object object PUBLIC-203.0.113.30
13 network-object object PUBLIC-203.0.113.50
14object-group network VPN-REMOTE-CONTOSO-ACME
15 network-object object VPN-ACME-CLIENT-1
16 network-object object VPN-ACME-CLIENT-2

Just like on the other side we have to create an access control list to match the traffic we want protected for Contoso.

1access-list ACL-VPN-CONTOSO-ACME extended permit ip object-group VPN-LOCAL-CONTOSO-ACME object-group VPN-REMOTE-CONTOSO-ACME

Create some NAT rules, these are going to static NATs on this side.

1nat (Outside,DMZ) source static VPN-ACME-CLIENT-1 VPN-ACME-CLIENT-1 destination static PUBLIC-203.0.113.30 CONTOSO-DMZ-SERVER-1 no-proxy-arp
2nat (DMZ,Outside) source static CONTOSO-DMZ-SERVER-1 PUBLIC-203.0.113.50 destination static VPN-ACME-CLIENT-2 VPN-ACME-CLIENT-2 no-proxy-arp

Create a VPN group policy for Contoso:

1group-policy GP-VPN-ACME-CONTOSO internal group-policy GP-VPN-ACME-CONTOSO attributes vpn-tunnel-protocol ikev1

Create the tunnel group for Contoso:

1tunnel-group 192.0.2.10 type ipsec-l2l tunnel-group 192.0.2.10 general-attributes default-group-policy GP-VPN-ACME-CONTOSO
2tunnel-group 192.0.2.10 ipsec-attributes ikev1 pre-shared-key cisco isakmp keepalive disable\

Finally build the crypto map:

1crypto map CM-CONTOSO-ACME 1 match address ACL-VPN-CONTOSO-ACME
2crypto map CM-CONTOSO-ACME 1 set peer 192.0.2.10
3crypto map CM-CONTOSO-ACME 1 set ikev1 transform-set ESP-AES-128-SHA
4crypto map CM-CONTOSO-ACME 1 set nat-t-disable
5crypto map CM-CONTOSO-ACME interface Outside

We can do a some verification tests, If I jump on 10.254.254.20 which is one of the servers in Acme Corp. I'll try to do a ping test over to Contoso and see if I get any replies back.

 1cisco@ACCORP-DMZ-Server-2:~$ ping 203.0.113.30
 2PING 203.0.113.30 (203.0.113.30) 56(84) bytes of data.
 364 bytes from 203.0.113.30: icmp_seq=2 ttl=64 time=3.08 ms
 464 bytes from 203.0.113.30: icmp_seq=3 ttl=64 time=1.52 ms
 564 bytes from 203.0.113.30: icmp_seq=4 ttl=64 time=2.39 ms
 664 bytes from 203.0.113.30: icmp_seq=5 ttl=64 time=1.94 ms
 764 bytes from 203.0.113.30: icmp_seq=6 ttl=64 time=2.08 ms
 864 bytes from 203.0.113.30: icmp_seq=7 ttl=64 time=3.38 ms
 964 bytes from 203.0.113.30: icmp_seq=8 ttl=64 time=2.78 ms
1064 bytes from 203.0.113.30: icmp_seq=9 ttl=64 time=3.16 ms
1164 bytes from 203.0.113.30: icmp_seq=10 ttl=64 time=1.81 ms
12^C
13--- 203.0.113.30 ping statistics ---
1410 packets transmitted, 9 received, 10% packet loss, time 9018ms
15rtt min/avg/max/mdev = 1.525/2.465/3.389/0.627 ms
16cisco@ACCORP-DMZ-Server-2:~$

Looking at the output, I lost one ping packet but that's likely because the tunnel was not up yet when that first ping packet transmitted over. I'll jump on the Contoso system and see if I can hit the Acme load server.

 1cisco@CONTOSO-DMZ-Server-1:~$ ping 192.0.2.50
 2PING 192.0.2.50 (192.0.2.50) 56(84) bytes of data.
 364 bytes from 192.0.2.50: icmp_seq=2 ttl=64 time=1.82 ms
 464 bytes from 192.0.2.50: icmp_seq=3 ttl=64 time=1.82 ms
 564 bytes from 192.0.2.50: icmp_seq=4 ttl=64 time=1.84 ms
 664 bytes from 192.0.2.50: icmp_seq=5 ttl=64 time=1.69 ms
 764 bytes from 192.0.2.50: icmp_seq=6 ttl=64 time=1.72 ms
 864 bytes from 192.0.2.50: icmp_seq=7 ttl=64 time=1.74 ms
 964 bytes from 192.0.2.50: icmp_seq=8 ttl=64 time=2.16 ms
1064 bytes from 192.0.2.50: icmp_seq=9 ttl=64 time=3.86 ms
1164 bytes from 192.0.2.50: icmp_seq=10 ttl=64 time=1.70 ms
1264 bytes from 192.0.2.50: icmp_seq=11 ttl=64 time=2.82 ms
13^C
14--- 192.0.2.50 ping statistics ---
1511 packets transmitted, 10 received, 9% packet loss, time 10025ms
16rtt min/avg/max/mdev = 1.697/2.121/3.863/0.667 ms
17cisco@R-DMZ-Server-2:~$

It looks like I can hit the Acme load server! We can also finally check both firewalls to verify a VPN is indeed established. On Acme Firewall:

 1ASA-1# show crypto isakmp sa
 2 
 3IKEv1 SAs:
 4 
 5   Active SA: 1
 6    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 7Total IKE SA: 1
 8 
 91   IKE Peer: 203.0.113.10
10    Type    : L2L             Role    : initiator
11    Rekey   : no              State   : MM_ACTIVE

On Contoso Firewall:

 1ASA-2# show crypto isakmp sa
 2 
 3IKEv1 SAs:
 4 
 5   Active SA: 1
 6    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 7Total IKE SA: 1
 8 
 91   IKE Peer: 192.0.2.10
10    Type    : L2L             Role    : responder
11    Rekey   : no              State   : MM_ACTIVE

That's all I got, I hope this information is helpful. If you want to try this out I have attached the running-configs of both firewalls. If you are using Cisco VIRL here is a link on GitHub to the file I was working with, enjoy! Running-Config-Firewalls