topic I do not think there is in Network Security

ASA Outside NAT Problem!!!

andyc0313 — Tue, 12 Mar 2019 04:15:26 GMT

Hi everybody,

My situation is as follows:
My Pre 8.3 ASA is connected to two outside networks: the ISP with security level 0, and a separate agency network with security level 10. We are having a problem connecting to the agency network from a L2L VPN tunnel coming through the ISP interface. These VPN branch users can communicate with our entire corporate network and I'm currently using outside-to-outside nat to get them to talk to the internet out the same ISP interface they come in through, but they can't talk to the agency network at all. *All inside users have full communication with the agency network.*

I receive the following error:
------------------------------
asa1# sh nat outside agency
ERROR: No matching NAT policy found
------------------------------
If I statically nat one user from the VPN branch to one of the agency pool addresses, I have full connectivity between that VPN user and the agency network.
This command makes it work: static (outside,agency) 16x.5x.1x.12x 10.18.1.1

My configuration:
nat (outside) 20 access-list vpn_outside_nat
nat (inside) 0 access-list NONAT
nat (inside) 30 access-list inside_nat_outbound
nat (inside) 20 0.0.0.0 0.0.0.0
global (agency) 20 16x.5x.1x.1x-1x.5x.1x.12x
global (agency) 20 16x.5x.1x.1x
global (outside) 20 20x.1x.2x.1x
global (outside) 10 20x.1x.2x.1x netmask 255.255.255.0
global (outside) 30 20x.1x.2x.1x netmask 255.255.255.255

access-list vpn_outside_nat extended permit ip 10.0.0.0 255.0.0.0 any

access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0

access-list inside_nat_outbound extended permit ip host 192.168.1.12 any

Please let me know if you need any more information to help. I appreciate any answers!
Thanks!

If Im reading this correctly

mickyq — Thu, 29 May 2014 12:45:59 GMT

If Im reading this correctly you are trying to connect two VPN sites through the same interface.

try: (config)#same-security-traffic permit intra-interface

this allows communication between peers connected to the same interface

Thanks for the reply. That

andyc0313 — Thu, 29 May 2014 14:08:07 GMT

Thanks for the reply. That isn't what I'm trying to accomplish, though. That particular part already works just fine. These are two different interfaces (outside, sec.=0, agency, sec.=10). The issue is that the VPN users on the outside interface can't communicate with the users in the agency network.

Are the VPN user connecting

Marius Gunnerud — Thu, 29 May 2014 20:28:11 GMT

Are the VPN user connecting over a site to site VPN or is this a remote access VPN solution?

is the agency network traffic comming in on the agency interface? if so then you are missing a no nat statement for that interface.

If that doesn't work, please post a network diagram indicating how the agency network and VPN network connects to the ASA.

Also run a packet tracer while the VPN user PC is connect to the VPN and post the results here.

packet-tracer input agency tcp <agency IP> 12345 <VPN IP> 80 detail

Please remember to select a correct answer and rate helpful posts

The VPN users are connecting

andyc0313 — Thu, 29 May 2014 22:34:07 GMT

The VPN users are connecting over a site to site VPN from an 1841 to the ASA.

I tried the no nat statement for the agency interface, and still no communication. I even tried a dynamic nat statement for it, and still nothing.

Here's the output of the packet-tracer:

asa1# packet- input agency tcp 1xx.5x.3x.1x 12345 10.18.1.1 80 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_agency in interface agency
access-list acl_agency extended permit ip host 1xx.5x.3x.1x 10.0.0.0 255.0.0.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb954718, priority=12, domain=permit, deny=false
hits=1, user_data=0xcbf4fc78, cs_id=0x0, flags=0x0, protocol=0
src ip=1xx.5x.3x.1x, mask=255.255.255.255, port=0
dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc88014f8, priority=0, domain=permit-ip-option, deny=true
hits=496265, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb8c98b0, priority=70, domain=inspect-http, deny=false
hits=20, user_data=0xcb8c8fb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc99ae50, priority=70, domain=encrypt, deny=false
hits=35412, user_data=0x132f3dac, cs_id=0xd4f14878, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.18.0.0, mask=255.255.0.0, port=0

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd06f1c50, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=38406, user_data=0x132f6b24, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.18.0.0, mask=255.255.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 20 access-list vpn_outside_nat
match ip outside 10.0.0.0 255.0.0.0 outside any
dynamic translation to pool 20 (2x.1x.2x.1x)
translate_hits = 80054, untranslate_hits = 7242
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd4f0e198, priority=2, domain=host, deny=false
hits=265627, user_data=0xcd09b6d8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.0.0.0, mask=255.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc87f2bc0, priority=0, domain=permit-ip-option, deny=true
hits=864567193, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1039870772, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: agency
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

From the output of the packet

Marius Gunnerud — Thu, 29 May 2014 22:40:54 GMT

From the output of the packet tracer I would say that the problem is at the remote s2s vpn device. The packet is allowed and it is entering and exiting the correct interfaces.

Have a look at the remote device..if you have admin access to it that is. Otherwise as the administrators of the remote site to check their configuration, more specifically their no nat statements and the crypto ACLs.

Please remember to select a correct answer and rate helpful posts

I've looked at the remote

andyc0313 — Fri, 30 May 2014 00:20:04 GMT

I've looked at the remote 1841 and everything looks fine. There is no nat being performed at all, because it is used strictly for VPN access, and the crypto ACLs specify that anything coming from 10.18.0.0 (that branch's subnet) should be placed in the tunnel.

Traffic flows from this VPN network to ANYWHERE else just fine (inside and outside) through our ASA. It just doesn't go to the agency network.

Could you please post a

Marius Gunnerud — Fri, 30 May 2014 09:43:53 GMT

Could you please post a network diagram of how this solution connects together.

How are you testing the connectivity over the VPN?

On the ASA...and on the 1841 router issue the command show crypto ipsec sa and show crypto isakmp (the isakmp command might differ on the ASA depending on the version you are running).

Please post a full running config of both sides of the tunnel (sanitised) aswell.

Please remember to select a correct answer and rate helpful posts

I've attached a small diagram

andyc0313 — Fri, 30 May 2014 17:03:30 GMT

I've attached a small diagram illustrating the network.

To test connectivity from the VPN, I'm simply pinging from a client on that network to a client on the agency network. The VPN clients are private addresses and the agency network is all public addresses.

Here's the output on the 1841:

xxxx-xx-1841#sh crypto ipsec sa

interface: FastEthernet0/0/0
Crypto map tag: CRYPTO-MAP, local addr 2xx.1xx.2xx.2xx

protected vrf: (none)
local ident (addr/mask/prot/port): (10.18.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2xx.1xx.2xx.1xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 43532623, #pkts encrypt: 43532623, #pkts digest: 43532623
#pkts decaps: 45942079, #pkts decrypt: 45942079, #pkts verify: 45942079
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2150, #recv errors 8

local crypto endpt.: 2xx.1xx.2xx.2xx, remote crypto endpt.: 2xx.1xx.2xx.1xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0/0
current outbound spi: 0x636A5937(1667914039)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xFDEEF343(4260295491)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2263, flow_id: FPGA:263, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4417816/3413)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x636A5937(1667914039)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2264, flow_id: FPGA:264, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4427473/3413)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Here's the output on the ASA:

asa1# sh crypto isakmp

Active SA: 9
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 9

5 IKE Peer: 2xx.1xx.2xx.2xx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Global IKE Statistics
Active Tunnels: 8
Previous Tunnels: 11083
In Octets: 4196166801
In Packets: 1330363
In Drop Packets: 580269
In Notifys: 104767
In P2 Exchanges: 54915
In P2 Exchange Invalids: 107
In P2 Exchange Rejects: 42300
In P2 Sa Delete Requests: 19
Out Octets: 159932732
Out Packets: 1428588
Out Drop Packets: 2343
Out Notifys: 631581
Out P2 Exchanges: 21275
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 29494
Initiator Tunnels: 109440
Initiator Fails: 108383
Responder Fails: 143692
System Capacity Fails: 0
Auth Fails: 143040
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 394232

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

Running-config on 1841:

Building configuration...

Current configuration : 2315 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain lookup source-interface FastEthernet0/1.181
ip name-server 10.1.4.22
ip name-server 192.168.1.53
!
multilink bundle-name authenticated
!
password encryption aes
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 xxx address 2xx.1xx.2xx.1xx
!
!
crypto ipsec transform-set TRANSFORM-SET esp-3des esp-sha-hmac
!
crypto map CRYPTO-MAP 1 ipsec-isakmp
set peer 2xx.1xx.2xx.1xx
set transform-set TRANSFORM-SET
match address VPN-TRAFFIC
!
!
!
!
track 1 interface FastEthernet0/0 line-protocol
!
!
!
interface Loopback1
no ip address
shutdown
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.181
encapsulation dot1Q 181
ip address 10.18.1.1 255.255.255.0
ip helper-address 10.1.4.22
ip helper-address 192.168.1.58
!
interface FastEthernet0/1.182
encapsulation dot1Q 182
ip address 10.18.2.1 255.255.255.0
ip helper-address 10.1.4.22
ip helper-address 192.168.1.58
!
interface FastEthernet0/0/0
ip address 2xx.1xx.2xx.2xx 255.255.255.252
ip access-group block_untrusted_remote in
duplex auto
speed auto
crypto map CRYPTO-MAP
!
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 2xx.1xx.2xx.2xx
no ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN-TRAFFIC
permit ip 10.18.0.0 0.0.255.255 any
ip access-list extended block_untrusted_remote
permit ip 2xx.1xx.2xx.1xx 0.0.0.15 any
permit ip host 2xx.1xx.2xx.2xx host 2xx.1xx.2xx.2xx

Running-config on ASA:

hostname asa1
names
name 192.168.6.0 VLAN6
name 192.168.4.0 VLAN4
name 192.168.5.0 VLAN5
name 192.168.0.0 Inside-subnet
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 2xx.1xx.2xx.178 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif agency
security-level 10
ip address 1xx.5xx.1xx.3 255.255.255.128
!
interface GigabitEthernet0/3
description DMZ interface
nameif DMZ2
security-level 50
ip address 10.30.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 0
ip address 10.10.10.3 255.255.255.0
!

!
time-range 5:30p
absolute end 17:30 17 January 2014
!
boot system disk0:/asa803-k8.bin
ftp mode passive

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list acl_agency extended permit ip any host 1xx.5xx.1xx.123
access-list acl_agency extended permit ip host 1xx.5xx.3xx.130 10.0.0.0 255.0.0.0

access-list inside_nat_outbound extended permit ip host 192.168.1.12 any

access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0
access-list l2l_vpn-branch extended permit ip any 10.18.0.0 255.255.0.0
access-list vpn_outside_nat extended permit ip 10.0.0.0 255.0.0.0 any

mtu outside 1500
mtu inside 1500
mtu agency 1500
mtu DMZ2 1500
mtu management 1500
no failover
failover polltime unit 15 holdtime 45
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400

global (outside) 20 2xx.1xx.2xx.190
global (outside) 10 2xx.1xx.2xx.185 netmask 255.255.255.0
global (outside) 30 2xx.1xx.2xx.184 netmask 255.255.255.255
global (agency) 20 1xx.5xx.1xx.10-1xx.5xx.1xx.122
global (agency) 20 1xx.5xx.1xx.125
nat (outside) 20 access-list vpn_outside_nat
nat (inside) 0 access-list NONAT
nat (inside) 30 access-list inside_nat_outbound
nat (inside) 20 0.0.0.0 0.0.0.0

static (inside,agency) 1xx.5xx.1xx.123 10.1.4.45 netmask 255.255.255.255

access-group acl_out in interface outside
access-group acl_inside in interface inside
access-group acl_agency in interface agency

route inside 10.18.0.0 255.255.0.0 192.168.12.2 1 track 1
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.177 1
route inside 10.1.0.0 255.255.0.0 192.168.12.2 1
route inside 10.2.0.0 255.255.0.0 192.168.12.2 1
route inside 10.3.0.0 255.255.0.0 192.168.12.2 1
route inside 10.4.0.0 255.255.0.0 192.168.12.2 1
route inside 10.5.0.0 255.255.0.0 192.168.12.2 1
route inside 10.6.0.0 255.255.0.0 192.168.12.2 1
route inside 10.7.0.0 255.255.0.0 192.168.12.2 1
route inside 10.8.0.0 255.255.0.0 192.168.12.2 1
route inside 10.9.0.0 255.255.0.0 192.168.12.2 1
route inside 10.10.0.0 255.255.0.0 192.168.12.2 1
route inside 10.11.0.0 255.255.0.0 192.168.12.2 1
route inside 10.12.0.0 255.255.0.0 192.168.12.2 1
route inside 10.13.0.0 255.255.0.0 192.168.12.2 1
route inside 10.14.0.0 255.255.0.0 192.168.12.2 1
route inside 10.16.0.0 255.255.0.0 192.168.12.2 1
route inside 10.17.0.0 255.255.0.0 192.168.12.2 1
route agency 1xx.1xx.1xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route agency 1xx.5xx.3xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route agency 1xx.5xx.6xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route inside 172.16.0.0 255.255.0.0 192.168.12.2 1
route inside 172.17.0.0 255.255.0.0 192.168.12.2 1
route inside 172.19.0.0 255.255.0.0 192.168.12.2 1
route inside 172.31.0.0 255.255.0.0 192.168.12.2 1
route inside 172.32.0.0 255.255.0.0 192.168.12.2 1
route inside 192.168.1.0 255.255.255.0 192.168.12.2 1
route inside 192.168.2.0 255.255.255.0 192.168.12.2 1
route inside 192.168.3.0 255.255.255.0 192.168.12.2 1
route inside VLAN4 255.255.255.0 192.168.12.2 1
route inside VLAN5 255.255.255.0 192.168.12.2 1
route inside VLAN6 255.255.255.0 192.168.12.2 1
route inside 192.168.8.0 255.255.255.0 192.168.12.2 1
route inside 192.168.11.0 255.255.255.0 192.168.12.2 1
route inside 192.168.13.0 255.255.255.0 192.168.12.2 1
route inside 192.168.254.0 255.255.255.0 192.168.12.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

http server enable
http 10.2.0.0 255.255.0.0 inside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside

sla monitor 1
type echo protocol ipIcmpEcho 10.18.1.1 interface inside
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set esp-des esp-des esp-none
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map CHCS 10 match address l2l_vpn-branch
crypto map CHCS 10 set peer 2xx.1xx.2xx.2xx
crypto map CHCS 10 set transform-set ESP-3DES-SHA
crypto map CHCS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
no crypto isakmp nat-traversal
!
track 1 rtr 1 reachability

management-access management
priority-queue outside
queue-limit 2000
tx-ring-limit 15
priority-queue inside
queue-limit 2000
tx-ring-limit 15
threat-detection basic-threat
threat-detection statistics

tunnel-group 2xx.1xx.2xx.2xx type ipsec-l2l
tunnel-group 2xx.1xx.2xx.2xx ipsec-attributes
pre-shared-key *
!

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
inspect icmp
policy-map global-policy
class inspection_default
!
service-policy global_policy global

Just out of curiosity, any

Marius Gunnerud — Fri, 30 May 2014 20:43:11 GMT

Just out of curiosity, any reason why you have this in your configuration on the 1841?

interface FastEthernet0/0
no ip address
duplex auto
speed auto

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 track 1

Should the following command be pointing out the outside interface, isn't the 1841 located off the outside interface? If so then this is part of the problem. change it to point out the correct interface and correct next hop IP.

route inside 10.18.0.0 255.255.0.0 192.168.12.2 1 track 1

Also you need to have a no NAT for the agency interface.

nat (agency) 0 access-list NONAT

Please correct these and test, and let us know how it goes.

Please select a correct answer and rate helpful posts

That statement on the 1841

andyc0313 — Fri, 30 May 2014 21:05:46 GMT

That statement on the 1841 and ASA were for testing a failover between INSIDE MPLS and OUTSIDE VPN. We haven't gotten to that point yet but it was in the works. The routing tables on both the 1841 and the ASA are both using their default routes at the moment for communication. You can ignore the statements referring to tracking objects, sorry I didn't mention it.

I tried adding a nat exemption statement on the ASA again and it didn't make a difference. I have a strong feeling that my troubles are somehow because of this error. When I added the NONAT statement, I was at least able to get an output from the first command, but still not the second, as mentioned in my first post.

asa1# sh nat agency outside
match ip agency any outside 10.0.0.0 255.0.0.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
asa1# sh nat outside agency
ERROR: No matching NAT policy found

Can you check if this is

jpl861 — Sat, 31 May 2014 12:05:42 GMT

Can you check if this is correct?

global (agency) 20 1xx.5xx.1xx.10-1xx.5xx.1xx.122
global (agency) 20 1xx.5xx.1xx.125
nat (outside) 20 access-list vpn_outside_nat

From what I can see there, you are translating the 10.18.0.0/16 remote network into a 1xx.5xx.1xx. IP.

Try to do this:

nat (outside) 0 access-list outside_to_agency_nonat

access-list outside_to_agency_nonat permit ip 10.18.0.0 0.0.255.255 any

I've tried that, but they

andyc0313 — Sat, 31 May 2014 16:23:46 GMT

I've tried that, but they still don't communicate. I believe we need to be nat'ing to those global ip's in order to communicate with the agency network.

The problem seems to be that it's NOT translating the 10.18.0.0 network into a 1xx.5xx.1xx.xxx IP. NAT doesn't seem to be working on anything going from the outside to the agency interface, for some reason.

Just for clarification, the

Marius Gunnerud — Sat, 31 May 2014 18:56:11 GMT

Just for clarification, the no nat statement needs to be implemented on the ingress interface for the non-encrypted traffic...so in this case the agency interface and not the outside interface.

Also when doing VPN you do not want to translate the VPN traffic to the public IP...this is the reason for the no nat.

I suggest issuing the command clear xlate and then test connectivity. If this setup is currently in use do so outside of working hours or during a service window...or atleast tell your users that they will lose connectivity for a short period of time. I am thinking that you have had a NAT statement in your configuration that has included the agency subnet and it has not timed out.

Please remember to select a correct answer and rate helpful posts

Okay, I've tried to put a nat

andyc0313 — Sun, 01 Jun 2014 04:11:11 GMT

Okay, I've tried to put a nat exemption coming from the agency interface and cleared the translation tables, but still no connectivity. Any ideas?

Could you add the no nat to

Marius Gunnerud — Sun, 01 Jun 2014 10:01:31 GMT

Could you add the no nat to the agency interface and then issue the packet tracer again.

I see that the NAT statements are missing from the 1841 could confirm that the traffic from the 10.18 network to the agency network is being exempted from NAT?

Please remember to select a correct answer and rate helpful posts

What about nat (agency) 0

jpl861 — Sun, 01 Jun 2014 13:23:55 GMT

What about nat (agency) 0 access-list xxxx? This is a normal issue with return traffic sometimes as the return traffic is being dropped or translated into a different IP.

The poster has indicated that

Marius Gunnerud — Sun, 01 Jun 2014 13:35:56 GMT

The poster has indicated that he has added a nat 0 to the agency interface but the issue persists.

From the packet-tracer output

andyc0313 — Sun, 01 Jun 2014 23:39:06 GMT

From the packet-tracer output, it seems that the return traffic coming from the VPN going to the agency network is being nat'ed to the global address that is only supposed to be for the outside interface instead of the global address intended for the agency network. That would explain why it can't communicate, but how do I fix this and get it to NAT to the global (agency) pool instead of the global (outside) pool?

Here's the output:

asa1# packet-t input agency tcp 1xx.5xx.3xx.1xx 12345 10.18.1.1 80 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_agency in interface agency
access-list acl_agency extended permit ip host 1xx.5xx.3xx.1xx 10.0.0.0 255.0.0.
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb954718, priority=12, domain=permit, deny=false
hits=2, user_data=0xcbf4fc78, cs_id=0x0, flags=0x0, protocol=0
src ip=1xx.5xx.3xx.1xx, mask=255.255.255.255, port=0
dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc88014f8, priority=0, domain=permit-ip-option, deny=true
hits=496646, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb8c98b0, priority=70, domain=inspect-http, deny=false
hits=21, user_data=0xcb8c8fb0, cs_id=0x0, use_real_addr, flags=0x0,
ocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (agency) 0 access-list NONAT
match ip agency any outside 10.0.0.0 255.0.0.0
NAT exempt
translate_hits = 1, untranslate_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbd9e088, priority=6, domain=nat-exempt, deny=false
hits=0, user_data=0xcc144078, cs_id=0x0, use_real_addr, flags=0x0, p
col=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc7695f80, priority=70, domain=encrypt, deny=false
hits=5734, user_data=0x1338149c, cs_id=0xd4f14878, reverse, flags=0x
rotocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.18.0.0, mask=255.255.0.0, port=0

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd06f2c40, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=6035, user_data=0x13384f54, cs_id=0x0, reverse, flags=0x0, prot
=0
src ip=10.18.0.0, mask=255.255.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 20 access-list vpn_outside_nat
match ip outside 10.0.0.0 255.0.0.0 outside any
dynamic translation to pool 20 (2xx.1xx.2xx.190)
translate_hits = 204581, untranslate_hits = 26424
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd4f0e198, priority=2, domain=host, deny=false
hits=693456, user_data=0xcd09b6d8, cs_id=0x0, reverse, flags=0x0, pr
ol=0
src ip=10.0.0.0, mask=255.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc87f2bc0, priority=0, domain=permit-ip-option, deny=true
hits=872576652, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protoc
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1048522497, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: agency
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Even though it shows a match

Marius Gunnerud — Mon, 02 Jun 2014 06:47:23 GMT

Even though it shows a match on the NAT to the outside global, it is the NAT0 which takes precedence:

Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (agency) 0 access-list NONAT
match ip agency any outside 10.0.0.0 255.0.0.0

But to see if this is the issue, you could add a more specific ACL that matches the exact source and destination subnets.

Please remember to select a correct answer and rate helpful posts