ASA Twice NAT over IPSec Tunnel IKEv2

ASA Twice NAT over IPSec Tunnel IKEv2

As my first ever blog post I decided to post the last problem I solved in the class. I had been talking about twice nat for ever and I had never created an example that my students could base on their knowledge and problem solving. So here it is.

I used Unetlab emulation software to create this lab which is composed of 2 ASA 5520 running 8.42 image, 1 Cisco router to simulate the INTERNET and 2 Windows host the simulate the clients.

The Internet router is connected to the physical interface of the server, this providing real access to the Internet.

Router configuration:

hostname INTERNET
!
interface Ethernet0/0
 description Connects to ASA-1
 ip address 172.16.0.2 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description Connects to ASA-2
 ip address 172.16.1.2 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/2
 descruption Connects to Physical Interface (Internet)
 ip address dhcp
 ip nat outside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/2 overload
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.255.255

Initial configuration on both ASAs:

hostname ASA-1
!
!INTERFACE CONFIGUATION
interface Ethernet0
 description LAN CONNECTION
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0 
 no shutdown
!
interface Ethernet1
 description INTERNET CONNECTION
 nameif outside
 security-level 0
 ip address 172.16.0.1 255.255.255.252 
! ON THE ASA-2 change the previous line with the next one:
! ip address 172.16.1.1 255.255.255.252
 no shutdown
!
! CREATE AN OBJECTO TO IDENTIFY THE INSIDE NETWORK
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
!
! CONFIGURE PAT FROM THE INSIDE NETWORK TO THE OUTSIDE INTERFACE
object network inside-subnet
 nat (inside,outside) dynamic interface
!
! CONFIGURE A DEFAULT ROUTE
route outside 0.0.0.0 0.0.0.0 172.16.0.2 1
! ON THE ASA-2 change the previous line with the next one:
! route outside 0.0.0.0 0.0.0.0 172.16.1.2
!
! CONFIGURE THE DHCP SERVER TO THE INSIDE NETWORK
dhcpd dns 8.8.8.8
dhcpd domain local.com
!
dhcpd address 192.168.0.10-192.168.0.100 inside
dhcpd enable inside
!
! ADD ICMP THE GLOBAL INSPECTION POLICY
policy-map global_policy
 class inspection_default
  inspect icmp

At this point the hosts should have ip configuration received by the ASA dhcp an should be able to reach the INTERNET.

asa_twice_nat_ipconfig

asa_twice_nat_ping

The next step to achieve the proposed is to configure the IPSec tunnel between the ASAs using IKEv2. For that we will need the following components:

  • IKE Policy: (The same in ASA-1 and ASA-2)
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400

crypto ikev2 enable outside

We could configure more policies using a diferent combination of encryption, hasing and diffie-hellman algorithms, but for simplification only one is needed.

  • Tunnel Authentication: (Pre-share authentication using same key in both sites)
!ASA-1
!172.16.1.1 is the ASA-2 outside interface address
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key bsnetworking
 ikev2 local-authentication pre-shared-key bsnetworking
!ASA-2
!172.16.0.1 is the ASA-1 outside interface address
tunnel-group 172.16.0.1 type ipsec-l2l
tunnel-group 172.16.0.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key bsnetworking
 ikev2 local-authentication pre-shared-key bsnetworking
  • IPSec Proposal: (The same in ASA-1 and ASA-2)
crypto ipsec ikev2 ipsec-proposal TSET
 protocol esp encryption aes-256 aes
 protocol esp integrity sha-1
  • Crypto ACL to identify traffic destined to the tunnel:
! ASA-1
access-list VPN extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
! ASA-2
access-list VPN extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
  • Crypto Map combining all previous information into the outside interface:
! ASA-1
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set pfs group5
crypto map CMAP 10 set peer 172.16.1.1 
crypto map CMAP 10 set ikev2 ipsec-proposal TSET
crypto map CMAP interface outside
!ASA-2
crypto map CMAP 10 match address VPN
crypto map CMAP 10 set pfs group5
crypto map CMAP 10 set peer 172.16.0.1 
crypto map CMAP 10 set ikev2 ipsec-proposal TSET
crypto map CMAP interface outside
  • To help understanding NAT we created some network object to be used later on: (On both ASAs)
! Inside network on both ASAs
object network 192.168.0.0_24
 subnet 192.168.0.0 255.255.255.0

! Natted Local Lan on ASA-1
object network 10.0.0.0_24
 subnet 10.0.0.0 255.255.255.0

! Natted Local Lan on ASA-2
object network 10.0.1.0_24
 subnet 10.0.1.0 255.255.255.0
  •  Finally the NAT rules:
! ASA-1
nat (inside,outside) source static 192.168.0.0_24 10.0.0.0_24 destination static 10.0.1.0_24 10.0.1.0_24
!ASA-2
nat (inside,outside) source static 192.168.0.0_24 10.0.1.0_24 destination static 10.0.0.0_24 10.0.0.0_24

Traffic going from Win4 to Win5 has the source address of 192.168.0.10 and destination address of 10.0.1.10. When it crosses the ASA from the inside interface to the outside the source is translated from the 192.168.0.10 to the address 10.0.0.10 and the destination stays the same, since the rule translates from the 10.0.1.0 network to it self.

So let’s test it:

asa_twice_nat_ping_vpn

ASA-1(config)# packet-tracer input inside tcp 192.168.0.10 www 10.0.1.10 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source static 192.168.0.0_24 10.0.0.0_24 destination static 10.0.1.0_24 10.0.1.0_24
Additional Information:
Static translate 192.168.0.10/80 to 10.0.0.10/80

Phase: 4      
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype: 
Result: ALLOW 
Config:
Additional Information:
New flow created with id 534, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

I couldn’t end my first post without thanking Andrea Dainese and all the team behind UnetLab. You guys rock and you have made our lifes much easier.

For the rest of you, stay good and see you on the next post.

Check this post to understand the packet flow process through the ASA.

 

Advertisements