I have two L2L VPNs connected to a central ASA. I want these VPNs to communicate with each other but there are some caveats i'm having issues with.
On the first VPN (VPN1), everything is working fine. This is a more "traditional" IPSEC VPN, with limited to no NAT. That is to say that everything communicates via real addresses and traffic is routed through the use of an interesting ACL. There are no problems here: HQ and VPN traffic move just fine to one another.
On the second VPN (VPN2), a newly provisioned link, I want clients on VPN2 to communicate with a server at VPN1. The challenge is that VPN2 uses IP space that overlaps with VPN1 and with the headquarters ASA that both of these VPNs connect to.
I want VPN2's traffic, all of it, to PAT to a single address. Headquarters should see this traffic as the PAT'd address and should never see the real addresses. In an ideal world, this PAT would be handled on VPN2 so that HQ doesn't need to know any details or manage any specifics. From HQ's perspective, and from VPN1's perspective, all traffic is simply sourced from an address that is in the interesting traffic ACL.
Additionally, once the PAT traffic hits HQ, another NAT needs to take place. This time, HQ needs to NAT, on a 1:1 basis, traffic going to servers in a "hidden" subnet. HQ exposes a subnet (which is in the interesting traffic ACL of VPN2's ASA, and thus encrypted via ipsec). The logical way you would do this on today's ASA code is
object network foo
nat (outside,outside) static foo.bar.baz.bang
I can't seem to get a configuration with the following characteristics to work:
- HQ ASA: Twice NAT with the source being the PAT address of VPN2 and the destination being the hidden and real subnets of VPN1
- HQ ASA: Simple NAT (with only the straight exposed "hidden" subnet)
I'd like to figure out what the right configuration model is to achieve this. Ideally, my requirements would be that VPN2 only shows up to me as a PAT (and it should be handled on their end), and HQ ASA handles the NAT for traffic from VPN2 to VPN1.
So:
- HQ talks to VPN1 normally (10.4.0.0->10.5.0.0)
- I want clients at VPN2 to talk to servers behind VPN1 (192.168.1.1->192.168.200.1)
- I want HQ to NAT VPN1's "real addresses" to a "hidden subnet" for VPN2 (192.168.200.0->10.5.0.0)
- I want VPN2's clients to be seen as a single address (PAT) (10.4.0.0->192.168.1.1)
- Ideally VPN2 would do its own PAT before the traffic ever gets to me (10.4.0.0->192.168.1.1)
- The interesting traffic ACLs are all correct
- All devices are running 8.4+ (some 9.x+)
+----+
|SRV |
Outside +--------+ +----+
+--------> FW1 +-----+
| +--------+ Inside
|
|
+----+ | +-------+
| HQ | outside | |Client1|
|----+----------+ +--------+ +-------+
| | FW2 | |
+--------+--------+----------->
Outside |
+-------+
|Client2|
+-------+
Best Answer
This is a really old post, and that's a complex set of requirements. But I'll try to answer this question for anyone else who may be looking to do a similar thing.
First, a diagram:
Now, some notes:
nat (outside,ouside) .... In order to keep the HQ config more simple, I have the spokes do their own NAT towards each other.Now, the code:
Hope this helps somebody.