Cisco HOW-TO‎ > ‎

ASA 5540 behind a NAT overloaded router, configured for client VPNs

WORK IN PROGRESS...
 
The following devices are in this scenario:
  • An end-user device on a public network with the Cisco VPN client.
  • A Cisco 3845 router connected to a public network and a private network
  • A Cisco ASA 5540 firewall behind the router, configured with private networks.
Cisco 3845 base configuration
interface GigabitEthernet0/0
 description Outside interface
 ip address 67.211.112.133 255.255.255.224
 ip nat outside
interface GigabitEthernet0/1
 description Inside interface
 ip address 192.168.255.12 255.255.255.248
 ip nat inside
ip route 0.0.0.0 0.0.0.0 67.211.112.129
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 192.168.255.0 0.0.0.255
 
 
Cisco ASA 5540 base configuration
 
interface GigabitEthernet0/0
 nameif eth0
 security-level 0
 ip address 192.168.255.9 255.255.255.248
 
 
 
Cisco 3845 configuration
 
ip nat inside source static esp 192.168.255.9 interface gigabitEthernet 0/0
ip nat inside source static udp 192.168.255.9 500 interface gigabitEthernet 0/0 500
ip nat inside source static udp 192.168.255.9 4500 interface gigabitEthernet 0/0 4500
 
ip nat inside source static tcp 192.168.255.9 22 67.211.112.133 1022 extendable
 
 
 Cisco ASA 5540 configuration
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
isakmp enable eth0
ip local pool vpnpool 172.16.15.10-172.16.15.200 mask 255.255.255.0
crypto ipsec transform-set vpn-transform esp-3des esp-md5-hmac
tunnel-group vpn-tunnel-group type ipsec-ra
tunnel-group vpn-tunnel-group general-attributes
address-pool vpnpool
tunnel-group vpn-tunnel-group ipsec-attributes
pre-shared-key Test9847
crypto dynamic-map dynmap 1 set transform-set vpn-transform
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap interface eth0
 
 
 
 Configuring the VPN client
Host: 67.211.112.133
Group Authentication Name: vpn-tunnel-group
Password: Test9847

 
Comments