topic Re: p2p with nating howto in Network Security

p2p with nating howto

demory1210 — Mon, 11 Mar 2019 18:38:46 GMT

I am trying to set up a p2p connection to a site where they want me to nat our ips to a different scheme.

Here is the relevant config

access-list INTERNETHUB2_cryptomap_60 extended permit ip 10.99.48.0 255.255.255.0 host 32.90.100.7

access-list policy_nat extended permit ip 172.30.5.0 255.255.255.0 host 32.90.100.7

static (VLAN1,INTERNETHUB2) 10.99.48.0 access-list policy_nat

crypto map INTERNETHUB2_map 60 match address INTERNETHUB2_cryptomap_60

crypto map INTERNETHUB2_map 60 set peer 67.208.150.94 63.240.239.45

crypto map INTERNETHUB2_map 60 set transform-set ESP-3DES-SHA

tunnel-group 67.208.150.94 type ipsec-l2l

tunnel-group 67.208.150.94 ipsec-attributes

pre-shared-key *

tunnel-group 63.240.239.45 type ipsec-l2l

tunnel-group 63.240.239.45 ipsec-attributes

pre-shared-key *

needless to say this is not working, When I try to ping 32.90.100.7 from a machine on the 172.30.5 subnet the ASA device receives it but does not even try to bring up the tunnel. What have I done wrong?

Joseph

Re: p2p with nating howto

demory1210 — Fri, 10 Sep 2010 18:41:28 GMT

I have some made the following changes to this config

access-list nat_for_ivans extended permit ip 172.30.5.0 255.255.255.0 host 32.90.100.7

global (INTERNETHUB2) 1 10.99.48.1-10.99.48.254

nat (VLAN1) 1 access-list nat_for_ivans

needless to say

the static command is gone.

also

sho xlate

Global 10.99.48.1 Local 172.30.5.1

which means the nat is working I hope but still no attempt to bring up the p2p

Re: p2p with nating howto

manish arora — Fri, 10 Sep 2010 18:58:45 GMT

Hi,

This configuration seems perfect to me , can you post "sh nat" out as well. Also, make sure the remote end has the configuration up with mirror ACL. no use to doing debugging if the other end doesnot have crypto for you in place.

Thanks

Manish

Re: p2p with nating howto

demory1210 — Fri, 10 Sep 2010 19:08:57 GMT

I have no control over the other end but they claim to have it set up. Wouldn't I see attempts at isakmp coming up in the case they weren't configed? Also the section for 172.30.5.0 natting shows no translations. I have a machine with the address 172.30.5.1 pinging the 32.90.100.7 address and I can see it coming into the ASA device.

WE also have the following other nat policies.

access-list VLAN1_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 209.211.140.0 255.255.255.0

access-list VLAN1_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 192.168.90.0 255.255.255.0

access-list VLAN1_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 host 192.168.30.29

access-list VLAN1_nat0_outbound extended permit ip any host 172.30.2.250

access-list VLAN1_nat0_inbound extended permit ip 172.30.0.0 255.255.0.0 209.211.140.0 255.255.255.0

access-list VLAN1_nat0_inbound extended permit ip 172.30.0.0 255.255.0.0 192.168.90.0 255.255.255.0

nat (VLAN1) 0 access-list VLAN1_nat0_outbound

nat (VLAN1) 0 access-list VLAN1_nat0_inbound outside

Could these be catching it first?

thanks

NAT policies on Interface VLAN1:

match ip VLAN1 172.30.0.0 255.255.0.0 INTERNETHUB2 209.211.140.0 255.255.255.0

NAT exempt

translate_hits = 182, untranslate_hits = 683870

match ip VLAN1 172.30.0.0 255.255.0.0 INTERNETHUB2 192.168.90.0 255.255.255.0

NAT exempt

translate_hits = 895165, untranslate_hits = 3409685

match ip VLAN1 172.30.0.0 255.255.0.0 INTERNETHUB2 host 192.168.30.29

NAT exempt

translate_hits = 2209, untranslate_hits = 1406

match ip VLAN1 any INTERNETHUB2 host 172.30.2.250

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 DMZ3 209.211.140.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 DMZ3 192.168.90.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 DMZ3 host 192.168.30.29

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 any DMZ3 host 172.30.2.250

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 209.211.140.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 192.168.90.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 host 192.168.30.29

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 any VLAN1 host 172.30.2.250

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 VLAN200 209.211.140.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 VLAN200 192.168.90.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 VLAN200 host 192.168.30.29

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 any VLAN200 host 172.30.2.250

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 209.211.140.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 192.168.90.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 management 209.211.140.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.0.0 255.255.0.0 management 192.168.90.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 host 172.30.2.132 INTERNETHUB2 any

static translation to 74.223.63.186

translate_hits = 112675, untranslate_hits = 389452

match ip VLAN1 host 172.30.2.133 INTERNETHUB2 any

static translation to 74.223.63.187

translate_hits = 2529, untranslate_hits = 786561

match ip VLAN1 host 172.30.2.134 INTERNETHUB2 any

static translation to 74.223.63.188

translate_hits = 2360, untranslate_hits = 3511557

match ip VLAN1 host 172.30.2.135 INTERNETHUB2 any

static translation to 74.223.63.189

translate_hits = 520, untranslate_hits = 182516

match ip VLAN1 host 172.30.1.58 DMZ3 any

static translation to 172.30.1.58

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 host 172.30.2.137 INTERNETHUB2 any

static translation to 74.223.63.180

translate_hits = 667, untranslate_hits = 245798

match ip VLAN1 host 172.30.2.183 INTERNETHUB2 any

static translation to 74.223.63.185

translate_hits = 11, untranslate_hits = 9892

match ip VLAN1 172.30.5.0 255.255.255.0 INTERNETHUB2 host 32.90.100.7

dynamic translation to pool 1 (10.99.48.1 - 10.99.48.254)

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.5.0 255.255.255.0 DMZ3 host 32.90.100.7

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.5.0 255.255.255.0 VLAN1 host 32.90.100.7

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip VLAN1 172.30.5.0 255.255.255.0 VLAN200 host 32.90.100.7

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

NAT policies on Interface management:

match ip management any INTERNETHUB2 any

identity NAT translation, pool 0

translate_hits = 0, untranslate_hits = 0

match ip management any DMZ3 any

identity NAT translation, pool 0

translate_hits = 0, untranslate_hits = 0

match ip management any VLAN1 any

identity NAT translation, pool 0

translate_hits = 0, untranslate_hits = 0

match ip management any VLAN200 any

identity NAT translation, pool 0

translate_hits = 0, untranslate_hits = 0

match ip management any management any

identity NAT translation, pool 0

translate_hits = 0, untranslate_hits = 0

Re: p2p with nating howto

manish arora — Fri, 10 Sep 2010 23:16:22 GMT

I dont see any hits for incoming nat traslation for that policy.

you should capture packets on the interface vlan1 ..to see even if your router is sending traffic to the asa , also make your that router is not natting your internal vlan1 ( 172.30.x.x ) to something else.

so , on asa use this :-

access-list xyz ext per ip 172.30.x.x 255.255.255.0 30.90.x.x any

capture capin access-list xyz int vlan1

sh capture capin

if you do not see any thing in this capture that means the router is the point of issue.

hope it helps

manish