NAT translation in the VPN site of ASA

When you connect a VPN site with an external company, the IP address segment of the company that was originally used to connect with the other party is forced to become another address segment due to a change in the company's internal network, however, it is difficult for the other company to negotiate with each other. It is true that VPN cannot be used. In the previous versions of ASA, there is no way to do this. You can only add a vro inside the ASA to change the NAT source address. There have been many major changes from version 8.3, and NAT is one of them. NAT does not allow or exclude nat, but directly defines the original source address, original destination address, changed source address, and changed destination address, even if it is not NAT, you also need to define a policy that does not change. Otherwise, the policy format cannot be passed. When multiple NAT translation policies are executed, they are executed in different order, the top part is the first execution, so the NAT policy on the Internet must be the last one. To put it bluntly, this function has been implemented on juniper's firewall for a long time. The current asa is much worse than the early netscreen, and the gap will be said later. The following describes the configuration. Instead of using the original direct address, the IP address range defined by netscreen is long ago ). Description structure: the address of the local VPN site is 172.26.7.0/24, and the address of the Peer abc Company is 10.24.60.0/28. First, define the peer address object network abcCorporation.
Subnet 10.24.60.0 255.255.255.255.240 our company and three local branches access through a leased line, so we need to split the original 172.26.7.0/24 into four parts, because our company is within the original routing range, so do not change. Only three addresses with changed NAT addresses are defined. Object network abcNatPool_ChengDu
Subnet 172.26.7.128 255.255.255.128object network abcNatPool_ShangHai
Subnet 172.26.7.64 255.255.255.192object network abcNatPool_HangZhou
Subnet 172.26.7.32 without any NAT changes, the company directly defines the address object network Bendi_abc.
Under subnet 172.26.7.0, the IP address of the object network ChengDu_abc is defined
Subnet 10.16.192.0 implements 255.255.128object network ShangHai_abc
Subnet 10.16.65.0 255.255.255.192object network HangZhou_abc
Subnet 10.16.83.0 has already existed. Note that the address range is the same as the size range of the NAT address pool. Define an access permission group and include all the actual addresses of the licenses. The configuration is clear and clear.
Network-object ShangHai_abc
Network-object Bendi_abc
Network-object ChengDu_abc network-object HangZhou_abc
The following defines the local source address object network abcToSource.
Subnet 172.26.7.0 255.255.255.0 and so on, the address is defined. The following is the NAT part. Because of major changes, do not use the old version to interpret it. Nat (inside, outside) source static ChengDu_abc abcNatPool_ChengDu destination static abcCorporation
Nat (inside, outside) source static ShangHai_abc abcNatPool_ShangHai destination static abcCorporation
Nat (inside, outside) source static HangZhou_abc abcNatPool_HangZhou destination static abcCorporation
Nat (inside, outside) source static Bendi_abc destination static abcCorporation abcconfigurationnat (inside, outside) source dynamic NAT-definitions of zones following the brackets of Internet interfacenat, now it is user-friendly. inside is the inside, outside is the outside, and people cannot find the north without switching. Source is the definition of the source address, static is the original meaning of NAT, one-to-one correspondence, so the size of the above address pool must be as large as the real address range. First, ChengDu_abc is the real source address. abcNatPool_ChengDu is the address of this address pool. The destination static destination address remains unchanged, so two abcCorporation
That is to say, from a to a, nothing has changed. The last line is used for local Internet access. NAT-Internet is a group that defines the addresses for local Internet access. It has nothing to do with this case. The following is the access that can be accessed through the Intranet, the internal interface access-group inside_access_in interface inside defines the access permission list access-list inside_access_in extended permit ip object-group abcAccess object abcCorporation. the previously defined abcAccessaccess-list inside_access_in extended deny ip any object abcCorporation blocks access from any other address to abc. Of course, there is also a list of local Internet access, no more. The NAT part is complete, and the VPN part should be shown below. A very important problem is whether to execute NAT or VPN first on a Cisco device, if you look at my case, you should know the answer. It is NAT first and then VPN, so NAT translation is performed first, and the converted address, that is, the address of the NAT address pool, is used for VPN configuration. Access-list outside_encryption cryptomap extended permit ip object abcToSource object abcconfigurationcrypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmaccrypto ipsec transform-set ESP-3DES-SHA esp-sha-hmaccrypto ipsec security-association lifetime seconds 28800
Crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap
Crypto map outside_map 1 set peer 69. *. *. 45
Crypto map outside_map 1 set transform-set ESP-3DES-SHA
Crypto map outside_map 1 set nat-t-disable
Crypto map outside_map interface outside
Crypto isakmp enable outside
Crypto isakmp policy 10
Authentication pre-share
Encryption 3des
Hash sha
Group 1
Lifectime 28800
Crypto isakmp policy 20
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Lifectime 86400
Crypto isakmp policy 30
Authentication pre-share
Encryption 3des
Hash sha
Group 2
Lifectime 86400
Crypto isakmp nat-traversal 3600tunnel-group 69. *. *. 45 type ipsec-l2l
Tunnel-group 69. *. *. 45 ipsec-attributes
Pre-shared-key ***** there are many cases of establishing a vpn site on the asa network. I will not explain it, but I will emphasize that it is the matching address of the first line, its source address is the entire source abcToSource, 172.26.7.0/24, which is a combination of all nat address pools. This completes the configuration. Other routes from the leased line to the local location are not described here.

This article from the "Genius without that 1% is never done" blog, please be sure to keep this source http://xushen.blog.51cto.com/1673219/682479