This topic is to discuss the following lesson:
What device did you use for the cloud? The one that I saw in gns3 has 3 interfaces, not 3. This lab requires 3 interfaces for the cloud device.
Because the two ASAs and the S3 server are on the same subnet in the topology, you can simply use a switch to represent the cloud. The prerequisite is that connectivity is achievable between those devices.
I hope this has been helpful!
Hi Rene and staff,
i lab this lesson in GNS3 like this
S1,S2, S3 are build with GNS3 appliance Networkers’s toolkit
Guest-webterm is a linux GUI client with firefox, build with the GNS3 appliance Webterm
My lab works fine, but i want to add these comments and questions
i prefer to name the internal subnet object as “INTERNAL” rather than “INSIDE”, not to be confused between a network object and the name (if) of the internal interface.
So the nat configuration becomes
- nat (inside,outside) source static INTERNAL INTERNAL destination static LAN2 LAN2
- nat (inside,outside) source static INTERNAL INTERNAL destination static LAN1 LAN1
Could you clarify this command step by step, because i am confused with the repetition of the network objects ?
Also i am confused with the place of the NAT commands: why are some NAT commands inside network objects, and some others in general config ?
- IOS and ASA are quite different when configuring VPN site to site (i used to configure vpn site to site with ios)
Where you used “authentication pre-share” with IOS in phase 1, you have to use tunnel-group with ASA, is not it ?
Cisco’s help says you have to use a WORD…but this is not working when you use a word that is not the IP address of the neighbor. The configuration is accepted, but this is not working. Do you know why ? So it is not working, but … suppose you use a WORD: in this case, it should be referenced in another place ? where ?
For your NAT, you’re saying this.
NAT the following:
NAT (INTERNAL IP) and change to (INTERNAL IP) in this case do not change it!
NAT (LAN2) and change to (LAN2) in this case do not change it!
NAT on ASA are broken the down like this every time.
Original Source IP:
Translated Source IP:
Translated Destination IP:
If both source/destination stay the same, we are exempting them from all NAT statements, especially our PAT statement for internet traffic so they match our crypto ACL for a tunnel. This is called a NAT exemption for this reason.
You need to configure some variable within a tunnel group depending on the type. So you create it like you did with the tunnel-group NAME command. But you also need to clarify values.
As an example for a IPSec Remote Access Tunnel Group.
tunnel-group "tunnel_group_name" type ipsec-ra
For an IPSec RA tunnel for example, you need to configure some attributes.
tunnel-group "tunnel_group_name" general-attributes
In here you configure things like authentication servers, default group policy to reference.
For a L2L Tunnel group it might look something like this:
tunnel-group DefaultL2LGroup type ipsec-l2l tunnel-group DefaultL2LGroup general-attributes no accounting-server-group default-group-policy DfltGrpPolicy tunnel-group DefaultL2LGroup ipsec-attributes no pre-shared-key peer-id-validate req no chain no trust-point isakmp keepalive threshold 10 retry 2
What’s happening here is something called “twice NAT” and is used to identify both the source and destination address in a single rule. As stated in this Cisco documentation:
Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y, for example.
And actually, when you use the same object for both real and mapped addresses, you are doing a very special type of twice NAT called Identity NAT. This is where the real and mapped objects are the same. Identity NAT simply says “translate to the same address” or simply “don’t translate”.
You can find out more about Identity NAT at the following Cisco link:
You can also find out more at this post:
This has to do with the way in which NAT is applied. When the NAT statement is within the object, this kind of configuration is called network object NAT. It’s a quick and easy way to configure NAT for a single IP address or a range of addresses, or a subnet. The NAT command within the object is applied to the similarly configured subnet within the object. You can find out more about it here:
Looking at the lesson I do see a typo where the NAT statement was outside the object, so I’ll let Rene know to fix that…
This command will specify a tunnel-group, but you must create and configure the tunnel-group for it to function. This can be done using several command modes including:
tunnel-group general-attributes tunnel-group ipsec-attributes tunnel-group webvpn-attributes tunnel-group ppp-attributes
One or more of the above should be used to enter the configuration mode of the particular attributes for this tunnel group. More about this can be found at this Cisco ASA command reference:
You can find out more details on how to configure these and what all of their parameters are at the following Cisco documentation:
Note that the entities called “tunnel-groups” are now called VPN connection profiles, however, the syntax seems to be the same.
I hope this has been helpful!
I’ve tried this same config but the exemption only works on my topology when the NAT exemption statement is above the NAT statement for internet connection.
Basically this 3 order of statement works for me:
1st for DMZ to OUTSIDE statement (DMZ to INTERNET)
2nd for INSIDE to OUTSIDE exemption statement
3rd for INSIDE to OUTSIDE dynamic statement (INTERNAL TO INTERNET)
but when I swapped the 2nd and 3rd, the traffic coming from behind of the ASA will go through 2nd statement, not to the 3rd which is for the exemption.
So I’m curious how to make this configuration “dual-stack”, that is, I want to include my IPv6 stack through the same tunnel that was established on the IPv4 network (or do I need to create a separate IPv6 tunnel for the independent traffic?)
It was somewhat difficult to find information about the creation of an IPSec site-to-site dual-stack VPN between ASAs. Apparently, you can find some information about it here.
Specifically, in the ACL that defines what traffic to encrypt, you can add IPv4 and IPv6.
I hope this has been helpful!
Looked at what he did and its along the lines of something I was trying, but the “work around” was to use IKEV1 for IPv4 and IKEV2 for IPv6 so that the two tunnel protocols wouldn’t run into one another. The issue however is now your doing two different setups when I wanted to eliminate IKEV1 from my overall system.
Its weird that for over a decade everyone is trying to be “dual-stacked” in the ISP business however there is so little support for actually doing dual-stacked (nor documentation). Lots of examples of IPv4 or IPv6, but never with both at the same time.
Indeed it is frustrating that no such precedent has been set. Unfortunately, there is little documentation about this and I haven’t been able to find others that have successfully created a single dual-stack IKEv2 VPN. It may be worth doing some further experimentation or raising it as an issue on Cisco community Cisco learning network forums.
I wish we could have been more helpful!