0

I am performing configuration on Cisco ASA and Cisco Router from the packet tracer. I am attempting to allow the external network (172.16.22.100 255.255.255.0) to access the internal server which is 192.168.50.50 255.255.255.0 via site to site VPN on router and ASA and access the SSH & FTP service from the internal server. After completing the commands, VPN is not reaching anybody and also, I do not know on how to allow SSH & FTP after configuring VPN. I also need to configure NAT and configure static NAT but unable to comprehend on how to start. Here is the network diagram below. https://i.sstatic.net/yv2p1.png

I have inputted the commands for Cisco ASA

route outside 0.0.0.0 0.0.0.0 198.155.251.100 crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 864000 crypto ikev1 enable outside tunnel-group 198.155.251.100 type ipsec-l2l tunnel-group 198.155.251.100 ipsec-attributes ikev1 pre-shared-key cisco12345 crypto ipsec ikev1 transform-set VPN-SET esp-aes esp-sha-hmac crypto map VPN-MAP 10 set peer 198.155.251.100 crypto map VPN-MAP 10 set ikev1 transform-set VPN-SET object network LOCAL-NET subnet 192.168.50.0 255.255.255.0 object network REMOTE-NET subnet 172.16.22.0 255.255.255.0 access-list VPN-ACL extended permit ip object LOCAL-NET object REMOTE-NET crypto map VPN-MAP 10 match address VPN-ACL crypto map VPN-MAP interface outside 
crypto isakmp policy 10 authentcation pre-share encryption aes group 2 hash sha lifetime 86400 exit crypto isakmp key cisco12345 address 192.133.250.100 crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac crypto MAP VPN-MAP 10 ipsec-isakmp set peer 192.133.250.100 set transform-set VPN-SET match address VPN-ACL ip access-list extended VPN-ACL permit ip 172.16.22.0 0.0.0.255 192.168.50.0 0.0.0.255 interface e0/1 crypto map VPN-MAP

I expect the VPN to be reaching from both network and do I need to configure ASA to allow SSH to access Internal network. if yes, why is it needed and how?

Improve this question
2
  • You appear to have posted the same configuration twice. You need to share the full configuration of both devices in order for anyone to help you. As for allowing SSH, generally once the VPN tunnel is functional, you do not need to specifically allow SSH, it will be allowed by the VPN tunnel policy and NAT configuration. Commented Nov 21, 2023 at 20:29
  • @FrameHowitzer, I have done the edit. Thank you Commented Nov 22, 2023 at 0:30

1 Answer 1

Reset to default
1

On the ASA you need to add configuration to implement NAT 'bypass' (really it is doing NAT but without changing the IP addresses) such as:

nat (inside,any) source static LOCAL-NET LOCAL-NET destination static REMOTE-NET REMOTE-NET no-proxy-arp route-lookup

On the IOS router, you need to similarly deny NAT on traffic that will transit the VPN tunnel:

access-list 111 remark NAT exemption access-list access-list 111 deny ip 172.16.22.0 0.0.0.255 192.168.50.0 0.0.0.255 access-list 111 permit ip 172.16.22.0 0.0.0.255 any route-map nonat permit 10 match ip address 111 ip nat inside source route-map nonat interface e0/1 overload

Your NAT config on your IOS router may be substantially more complex, depending on your specific circumstances.

This page has more guidance and you might note they recommend the use of the command 'mode tunnel' under the definition of the crypto transform-set on the IOS configuration. I am not sure if that is default or not.

That page also has very useful verification and debugging commands you can use.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.