asa behind router cisco vpn nat

WORK IN PROGRESS...

The following devices are in this scenario:

* An end-user device on a public network with the Cisco VPN client.
* A Cisco 3845 router connected to a public network and a private network
* A Cisco ASA 5540 firewall behind the router, configured with private networks.

Cisco 3845 base configuration

interface GigabitEthernet0/0
description Outside interface
ip address 67.211.112.133 255.255.255.224
ip nat outside
interface GigabitEthernet0/1
description Inside interface
ip address 192.168.255.12 255.255.255.248
ip nat inside
ip route 0.0.0.0 0.0.0.0 67.211.112.129
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 192.168.255.0 0.0.0.255



Cisco ASA 5540 base configuration

interface GigabitEthernet0/0
nameif eth0
security-level 0
ip address 192.168.255.9 255.255.255.248


Cisco 3845 configuration

ip nat inside source static esp 192.168.255.9 interface gigabitEthernet 0/0
ip nat inside source static udp 192.168.255.9 500 interface gigabitEthernet 0/0 500
ip nat inside source static udp 192.168.255.9 4500 interface gigabitEthernet 0/0 4500


ip nat inside source static tcp 192.168.255.9 22 67.211.112.133 1022 extendable


Cisco ASA 5540 configuration
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
isakmp enable eth0
ip local pool vpnpool 172.16.15.10-172.16.15.200 mask 255.255.255.0
crypto ipsec transform-set vpn-transform esp-3des esp-md5-hmac
tunnel-group vpn-tunnel-group type ipsec-ra
tunnel-group vpn-tunnel-group general-attributes
address-pool vpnpool
tunnel-group vpn-tunnel-group ipsec-attributes
pre-shared-key Test9847
crypto dynamic-map dynmap 1 set transform-set vpn-transform
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap interface eth0



Configuring the VPN client
Host: 67.211.112.133
Group Authentication Name: vpn-tunnel-group
Password: Test9847