Contact our honeypot department if you are desperate to get blacklisted.

Thursday, August 5, 2010

Cisco ASA 7.2 PPPoE Lan-to-LAN IPSEC with conditional NAT Template

This is a pretty standard config, except for the conditional NAT.  So in this case, only certain local IP addresses (host in network-object LocalHostsToNATtoVendor01) will match the VPN tunnel, and will be NATted before hitting the tunnel. 
!ASA Version 7.2(4)
!
enable password ********** encrypted
passwd ********** encrypted
names
!
interface Vlan1
description LAN
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
pppoe client vpdn group MyPPPUserName
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object-group network RemoteVendor01
network-object 192.168.64.0 255.255.248.0
! 
object-group network LocalHostsToNATtoVendor01
network-object host 10.10.10.150
network-object host 10.10.10.151
network-object host 10.10.10.152
network-object host 10.10.10.153
network-object host 10.10.10.154
network-object host 10.10.10.155
network-object host 10.10.10.156
network-object host 10.10.10.157
! 
access-list outside_1_cryptomap extended permit ip 172.16.6.24 255.255.255.248 192.168.64.0 255.255.248.0
access-list inside_nat0_outbound extended permit ip 172.16.6.24 255.255.255.248 192.168.64.0 255.255.248.0
! 
access-list LocalHostsToNATtoVendor01 remark conditional NAT
access-list LocalHostsToNATtoVendor01 extended permit ip object-group LocalHostsToNATtoVendor01 object-group RemoteVendor01
!
!define two NAT pools, one pool of IPs, the other the outside interface address
global (outside) 1 172.16.6.24-172.16.6.31
global (outside) 2 interface
!don't nat some hosts
nat (inside) 0 access-list inside_nat0_outbound
!do NAT this ACL
nat (inside) 1 access-list LocalHostsToNATtoVendor01
nat (inside) 2 10.10.10.0 255.255.255.0
!
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 192.152.45.12
crypto map outside_map 1 set transform-set ESP-AES-192-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 28800
!
vpdn group MyPPPUserName request dialout pppoe
vpdn group MyPPPUserName localname MyPPPUserName
vpdn group MyPPPUserName ppp authentication pap
vpdn username MyPPPUserName password *********
!
tunnel-group 192.152.45.12 type ipsec-l2l
tunnel-group 192.152.45.12 ipsec-attributes
pre-shared-key *
!
! here's an interesting feature
smtp-server 10.45.26.2
prompt hostname context
Posted by Unknown at 9:15 PM
Labels: , , , ,