topic Re: Several VPN tunnels in Network Security

Site to site VPN tunnel, remote site access to networks behind DMZ interface

tarmo — Mon, 11 Mar 2019 19:22:48 GMT

Hello

I tried to seach, but I did not find correct solution to my problem.

I have

Cisco ASA SEC PLUS running in Main office A

Outside interface- default ISP Internet

Inside interface - default local lan. 192.168.1.0/24

DMZ interface - other external network, using static routes. Working in the main office from the Inside network. If inside network is accessing to it then I do NAT.

Then I have other office (smaller) lets call it office B

Outside interface (ISP Internet)

inside interface local lan 192.168.31.0/24

I have created VPN site to site tunnel between A-B office working fine (all services are online). Now I need to give office B inside computers access to Office A networks behind DMZ interface. Traffic is allowed in the VPN tunnels.

I can see from Cisco that Office B network 192.168.31.0/24 is trying to get to DMZ interface, but error is no translation group outside:192.168.31.5 DMZ:......

I must NAT that 192.168.31.0/24 network before it will access to the DMZ interface, but I do not understand what I miss.

Message was edited by: tarmo

Re: Several VPN tunnels

Yudong Wu — Wed, 15 Dec 2010 20:44:46 GMT

Without seeing your configuration, it's hard to tell why.

In general, in VPN setup, we use "nat 0" to exclude the vpn traffic from NAT.

If you can access inside network in office A from office B, do you have something like "nat (inside) 0 access-list xxxx" in your configuration.

If yes, you need the same for dmz, "nat (dmz) 0 access-list yyyyy"

Re: Several VPN tunnels

tarmo — Thu, 16 Dec 2010 14:20:44 GMT

Changed as you told me.

Error is same

3 Dec 16 2010 16:06:21 305005 x.x.x. 80 No translation group found for tcp src outside:192.168.31.4/55320 dst dmz:x.x.x.x/80

x.x.x.x = one computer inside the DMZ network.

nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list inside_nat0_outbound / added this.

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.31.0255.255.255.0

Tarmo

Re: Several VPN tunnels

tarmo — Thu, 16 Dec 2010 14:46:11 GMT

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806a5cea.shtml - I found this.

My configuration looks OK, expect I need to do NAT for traffic which is going to DMZ. Right now my setup does not do NAT for DMZ traffic.

Re: Several VPN tunnels

Yudong Wu — Thu, 16 Dec 2010 16:14:22 GMT

nat (dmz) 0 access-list inside_nat0_outbound / added this.

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.31.0255.255.255.0

The above is not correct. You should use a different ACL for DMZ.

nat (dmz) 0 access-list DMZ_nat0_outbound / added this.

access-list DMZ_nat0_outbound extended permit ip 255.255.255.0 192.168.31.0255.255.255.0

Re: Several VPN tunnels

tarmo — Fri, 17 Dec 2010 06:30:44 GMT

I tried that, does not help.

At least I am not getting that error, but from network 192.168.31.0 I do not have still access to networks behind the DMZ.

192.168.1.0 inside network can access networks behind the DMZ.

Re: Several VPN tunnels

Yudong Wu — Fri, 17 Dec 2010 18:02:57 GMT

can you please provide the following info

1. config

2. bring up the tunnel and check if encrypt/decrypted count incrementing in "show cry ipsec sa" when issuing a ping between remote and dmz hosts.

3. the log when you do the step 2.

Re: Several VPN tunnels

tarmo — Tue, 04 Jan 2011 14:50:51 GMT

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname firewall
domain-name bt.int
enable password ******** encrypted
passwd *************** encrypted
names
name 195.222.6.126 A-GW-FIN description A-GW-FIN
name 192.168.33.0 TARTU-LAN description TARTU LAN
name 192.168.31.0 TTY-LOCAL-LAN description TTY-LAN / from there I need right now access to DMZ network
name 192.49.X.140 A-192.49.x.140 description A

name 192.168.32.0 RIIA-LOCAL-LAN description RIIA-LOCAL-LAN
name 192.168.1.9 LORD description LORD
name 172.16.x.10 NG
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description MAIN ISP

nameif outside
security-level 0
ip address 62.65.X.162 255.255.255.240
!
interface Vlan5
description ISP NR 1 // network 192.168.1.0/24 has access there, but network 192.168.31.0/24 needs also access and later some more

nameif dmz
security-level 25
ip address 195.222.X.110 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 5
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
domain-name zbt.int
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq imap4
port-object eq pop3
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq 10000
service-object tcp eq imap4
service-object tcp eq smtp
service-object tcp eq ssh
service-object icmp echo
service-object icmp echo-reply
service-object icmp time-exceeded
service-object icmp traceroute
object-group service DM_INLINE_SERVICE_2
service-object tcp eq pptp
service-object udp eq isakmp
service-object gre
service-object icmp
object-group network TLL-LINX-VPN-LANS
description to ISP NR 2 networks over VPN

network-object 192.168.1.0 255.255.255.0
network-object host A-192.49.229.140
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp eq 10000
service-object tcp eq smtp
service-object tcp eq ssh
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object echo
access-list INTERNET_access_in extended permit tcp any any eq 3389
access-list INTERNET_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 62.65.33.165
access-list INTERNET_access_in extended permit tcp any any eq 6666
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 TTY-LOCAL-LAN 255.255.255.0
access-list outside_2_cryptomap extended permit ip object-group TLL-LINX-VPN-LANS TTY-LOCAL-LAN 255.255.255.0
access-list AMADEUS extended permit ip 195.222.x.64 255.255.255.192 TTY-LOCAL-LAN 255.255.255.0
access-list dmz_access_in extended permit ip any TTY-LOCAL-LAN 255.255.255.0
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip any any
access-list dmz_nat0_outbound extended permit ip TTY-LOCAL-LAN 255.255.255.0 host A-192.49.229.140
pager lines 24
logging enable
logging list vpn level debugging class ip
logging list vpn level debugging class vpn
logging list vpn level debugging class vpnfo
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any dmz
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 62.65.x.164 netmask 255.255.255.255
global (outside) 3 62.65.x.163 netmask 255.255.255.255
global (outside) 4 62.65.x.165 netmask 255.255.255.255
global (dmz) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 3 192.168.1.245 255.255.255.255
nat (inside) 2 192.168.1.244 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) tcp interface 3389 192.168.1.8 3389 netmask 255.255.255.255
access-group INTERNET_access_in in interface outside
access-group dmz_access_in in interface dmz
!
route-map SPAM-LATTI permit 10
match ip address 100
!
route-map LATI-VPN permit 10
!
route outside 0.0.0.0 0.0.0.0 62.65.33.161 1
route dmz 82.150.x.135 255.255.255.255 A-GW-FIN 1 / A-GW-FIN located behind the DMZ interface
route dmz 82.150.x.10 255.255.255.255 A-GW-FIN 1
route dmz 84.50.x.196 255.255.255.255 A-GW-FIN 1
route dmz 157.200.x.148 255.255.255.255 A-GW-FIN 1
route dmz A-192.49.x.140 255.255.255.255 A-GW-FIN 1 / this is the most important from other offices.
route dmz 194.145.x.59 255.255.255.255 A-GW-FIN 1
route dmz 194.145.x.62 255.255.255.255 A-GW-FIN 1
route dmz 194.145.x.73 255.255.255.255 A-GW-FIN 1
route dmz 194.145.x.71 255.255.255.255 A-GW-FIN 1
route dmz 194.204.x.0 255.255.255.0 A-GW-FIN 1
route dmz 195.27.x.31 255.255.255.255 A-GW-FIN 1
route dmz 212.47.x.57 255.255.255.255 A-GW-FIN 1
route dmz 212.47.x.58 255.255.255.255 A-GW-FIN 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.8 community public version 2c
snmp-server location Serverroom, 7 th
snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 80.235.x.106
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.12-192.168.1.150 inside
dhcpd dns 192.168.1.8 192.168.1.10 interface inside
dhcpd domain bt.int interface inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics host number-of-rate 2
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 80.235.x.106 type ipsec-l2l
tunnel-group 80.235.x.106 ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
!
!
policy-map type inspect http BT
parameters
protocol-violation action log
policy-map outside-policy
class outside-class
inspect icmp
inspect icmp error
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
inspect http BT
class inspection_default
inspect pptp
!
service-policy global-policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxx

: end

A: I need that traffic from the network 192.168.31.0/24 will access to Main office when they are asking host 192.49.x.140 255.255.255.255 - currently that traffic is going to the ASA as it should over VPN tunnel.

B: in ASA that traffic should go to DMZ interface (NAT must be active), but right now it does not work. Network 192.168.1.0/24 can access to DMZ interface (networks behind it).

Re: Several VPN tunnels

tarmo — Sun, 09 Jan 2011 16:07:44 GMT

Still having issues

I have manged to fix error "no translation group found", but still remote site does not get access to sites behind the DMZ

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0 dns

nat (dmz) 0 access-list dmz_nat0_outbound_2

access-list dmz_nat0_outbound_2 extended permit ip host 192.49.x.140 any

access-list dmz_nat0_outbound_2 extended permit ip 195.222.x.64 255.255.255.0 any

Host is behind the dmz interface and network is the DMZ network.

I think I am missing very small thing, but I dot not understand what it is. Something with NAT, as inside network can access networks behind the DMZ, but remote offices cannot access.

I think problem is not with NAT anymore but with VPN traffic. As other side is using Juniper firewall, then I think issue is between Cisco ASA and Juniper.

Re: Several VPN tunnels

Yudong Wu — Mon, 10 Jan 2011 06:09:24 GMT

Can you initiate the traffic between 192.168.31.x (Site B) and 195.222.x.64 such as ping to bring up the tunnel and then capture "show crypto ipsec sa" multiple times when issuing the ping? We need check encry/decry count to see which one is not incrementing to know in which direction there is an issue. Also please provide "show logging" output when you do the above ping testing.

Re: Several VPN tunnels

tarmo — Tue, 11 Jan 2011 15:04:41 GMT

That ping is other issue.

I cannot ping DMZ interface (from inside network too), but I can ping host behind the DMZ interface. I can ping outside interface and inside (also traceroute is working) but DMZ I cannot ping.

I made more testes. Looks like i need destination nat or something. I removed NAT 0 command from the DMZ interface, because all traffic must be NAT'd. Inside is working correctly, I just need to tell ASA in the main office to do NAT for other networks too when they are access to DMZ.

No I am getting again no translation group found, which is OK because I have issue somewhere in NAT rules. Somekind on static NAT rule.

Ping from the remote office

3 Jan 11 2011 16:40:33 305005 A-GW-FIN No translation group found for icmp src outside:192.168.31.4 dst dmz:A-GW-FIN (type 8, code 0)

A-GW-FIn = behind the DMZ interface .126. I can ping that from inside. I added picture too.

Re: Several VPN tunnels

Yudong Wu — Tue, 11 Jan 2011 16:13:18 GMT

I asked you to add NAT 0 rule for DMZ like following in my previous post.

access-list DMZ_nat0_outbound extended permit ip 255.255.255.0 192.168.31.0255.255.255.0

But you added it as following,

access-list dmz_nat0_outbound_2 extended permit ip host 192.49.x.140 any

access-list dmz_nat0_outbound_2 extended permit ip 195.222.x.64 255.255.255.0 any

When using "any", all traffic to the above DMZ IP will bypass the NAT. Please replace any with site B network 192.168.31.x so that only VPN traffic to DMZ will bypass NAT.

You can not ping DMZ interface IP from inside, that's normal behavior.

After you make the above change, initiate a ping from site B to the host in DMZ to bring up the VPN tunnel. And then check "sh crypto ipsec sa" to see if decry/encry count is incrementing.