10-08-2012 09:42 AM - edited 03-11-2019 05:06 PM
I need more eyes to review my situation.
I have two ASA 5520 units, both running version 8.3(2) code. Among many other uses, they have an IPSec tunnel between them to link office 1 and office 3 together. Office 2 does exist, and is connected to a different port on the ASA in office 3; there is no IPSec involved with office 3.
Here's the diagram:
Host SAM -------- Office 1 ASA ---------- IPSec tunnel --------- Office 3 ASA ------------- direct ethernet --------------------- Host FRED at Office 2
|
|
Host JANE
SAM can ping JANE. JANE can ping SAM. The Office 3 ASA can ping FRED. FRED can ping the Office 3 ASA. JANE can ping FRED. FRED can not ping JANE, by design. When SAM pings FRED, FRED receives the packet, but NAT has not been applied to the source IP address (which is what I'm trying to do, and which does happen when JANE pings FRED), and therefore FRED does not have a route for the response.
Here are the parts of the configuration on Office 3 ASA which I believe are relevant:
: Saved
:
ASA Version 8.3(2)
!
same-security-traffic permit intra-interface
!
nat (any,itrunk) source static rfc-nets rfc-nets destination static rfc-nets rfc-nets
!
object network office3
nat (server-lan,itrunk) dynamic OFFICE3-POOL
object network vpnpool
nat (itrunk,itrunk) dynamic OFFICE3-POOL
!
nat (server-lan,office2) after-auto source dynamic office3 interface
nat (itrunk,office2) after-auto source dynamic office1 interface
nat (any,office2) after-auto source dynamic rfc-nets interface
!
access-group inbound10 in interface itrunk
access-group everything in interface office2
!
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 server-lan
icmp permit 10.0.0.0 255.0.0.0 itrunk
icmp permit 10.0.0.0 255.0.0.0 office2
!
access-list office_vpn extended permit ospf interface itrunk host OFFICE1-OUTSIDE
access-list office_vpn extended permit ip object-group office3 object-group office1
access-list office_vpn extended permit ip object office2 object-group office1
!
access-list everything extended permit tcp any any
access-list everything extended permit udp any any
access-list everything extended permit icmp any any
!
crypto map vpn 10 match address office_vpn
crypto map vpn 10 set peer OFFICE1-OUTSIDE
crypto map vpn 10 set transform-set AES-256
crypto map vpn interface itrunk
!
end
What am I missing?
As you can see, I want to NAT any traffic going towards office 2 to have as a souce address the interface address of the Office 3 ASA. This is because office 2 has a restricted routing configuration. Recall from above that when JANE pings FRED, this NAT happens and everything works. When SAM pings FRED, the NAT does not happen, as seen in debugs collected on FRED.
I'd really appreciate and and all help.
ERM
10-09-2012 05:01 AM
Hi,
Is there a typo in the above post?
I mean the fact that you mention that Office2 is connected to other port in Office3 even though the ASCII picture says that Office2 is behind Office1?
Also where exactly is JANE localted? Behind Office3 ASA or behind Office1 ASA ?
From the above I also got the picture that you want to PAT translate all traffic leaving from Office3 to Office1? Yet you are trying to PING from Office1 to a host on Office3? You can't PING a host which only has PAT translation.
Might be that I have misunderstood something.
- Jouni
EDIT: Typo can -> can't
10-09-2012 05:11 AM
Or is the Office2 word gotten moved to a second row/line in the post and is because of that below the word "Host SAM"
10-09-2012 05:23 AM
I guess the Cisco Support forums posts width is just messing up where the Office2 is positioned.
Can you provide the following information
- interface name behind which JANE is located
- inteface on Office3 ASA that is towards Office1
- Jouni
10-09-2012 05:56 AM
Jouni -
You are correct about the perils of horizontal diagrams. Here it is vertically:
SAM
|
|
Office 1 ASA
|
|
IPSec tunnel
|
|
Office 3 ASA ---- JANE
|
|
direct ethernet
|
|
FRED at Office 2
I don't have it in front of me, but for Office 3, I believe itrunk, which has the IPSec tunnel, is GigabitEthernet0/2; server-lan, which is the connection to JANE, is GigabitEthernet0/0; and office2, which is the direct link to that office, is GigabitEthernet0/2.26 (yes, a vlan subinterface, but that's not suppose to make a difference :->).
- ERM
10-09-2012 08:39 AM
Hi,
Ok seems to be a clearer situation now
I've been looking through this and the only thing that to my eye could be causing problems with NATing traffic from Office1 to Office2 is the first NAT command. I might be wrong but this would be my guess without getting to look at the situation through CLI/ASDM myself.
nat (any,itrunk) source static rfc-nets rfc-nets destination static rfc-nets rfc-nets
I assume the "rfc-nets" object-group/object contains the Office1 network(s)? Which networks does it contain?
Looking at the NAT configurations provided I would guess they are used for following purposes:
nat (any,itrunk) source static rfc-nets rfc-nets destination static rfc-nets rfc-nets
object network office3
nat (server-lan,itrunk) dynamic OFFICE3-POOL
object network vpnpool
nat (itrunk,itrunk) dynamic OFFICE3-POOL
nat (server-lan,office2) after-auto source dynamic office3 interface
nat (itrunk,office2) after-auto source dynamic office1 interface
nat (any,office2) after-auto source dynamic rfc-nets interface
Have you tried the "packet-tracer" command either through CLI or the ASDM? You could use it to simulate some connectiong from SAM to FRED (If not allowed already make some access-list rule allowing the test connection) and see what NAT configuration is applied to the connection attempt
Format for the command is
packet-tracer input itrunk tcp
If I understood correctly you are expecting the connection (that aint working) to hit either of these 2 NAT rules
nat (itrunk,office2) after-auto source dynamic office1 interface
nat (any,office2) after-auto source dynamic rfc-nets interface
Could you confirm what networks/users the "rfc-nets" contains? Does it include the Office1 network?
- Jouni
10-09-2012 10:49 AM
Jouni,
You are correct that the rfc-nets rule is for NAT exemption on the L2L, and it covers the LAN subnets of all the offices and a bunch of others (all RFC1918 IPs). While I appreciate the point about making it more specific, it's still the case that it will cover the IPs of SAM, JANE, and FRED, since all of those should be exempt when in the IPSec tunnel, correct?
Here's the packet-tracer results. I've never been clear how useful they are when crypto maps are involved:
packet input itrunk tcp 10.1.2.1 6543 10.2.2.249 23
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,itrunk) source static rfc-nets rfc-nets destination static rfc-nets rfc-nets
Additional Information:
NAT divert to egress interface server-lan
Untranslate 10.2.2.249/23 to 10.2.2.249/23
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: itrunk
input-status: up
input-line-status: up
output-interface: server-lan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Observe that these results are wrong in two ways, (1) acl-drop, and (2) output on the server-lan interface. The reality, when I send traffic from SAM to FRED, is that the packets arrive at FRED but without translated source IP addresses.
Thanks again.
- ERM
10-09-2012 11:58 AM
Hi,
Again to clarify . (Though now after reading it through myself it might do just the opposite )
You actually stated that you want to PAT all connections coming from Office1 and Office3 to the Office2 interace IP address since theres some problem with routing. (I guess PATing to the connected network avoids the routing problem) Office3 PAT to my understanding is working but the traffic coming through the L2L VPN is not beeing PATed.
Wouldnt it be in this case that you SHOULD NOT configure any NAT Exemption type configurations? To my understanding the NAT configuration mentioned earlier by me, the one showing in the packet-tracer above works both ways and therefore as all the used objects are identical it keeps the original source address of Office1 instead of NATing it and overrides the PAT configurations you have for Office2 interface from itrunk interface (Office1 -> Office2 traffic doesnt get NATed, but Office3 -> Office2 falls to the PAT rule)
Wont the above mentioned (packet-tracer) NAT command also override the OFFICE3-POOL configurations you have for Office3 LAN and the Office3 VPN Clients? Since the source interface is "any" and the destination interface is "itrunk".
You could confirm if the POOL configurations are used by issuing the packet-tracer command with input interface of server-lan and its source IP address and destination IP address of Office1. To my understanding that kind of packet-tracer command would result in the same NAT rule applied as the above output you posted. I might be wrong but could you test it?
I'm also kinda wondering why the packet-tracer states that the output interface is Office3 local interface though. To my understanding your ASA should determine the output interface with route-lookup and NAT shouldnt affect it.
Sorry if the reply was abit confusing. Maybe I'll look this through again tomorrow. It would be easier to get the big picture if I could see the whole configuration (could probably even lab it then). Would be interesting to go through the setup as nothing teaches you more about devices operation than trying to fix something that aint working
- Jouni
10-09-2012 12:32 PM
Full config and a nice topology would be great
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide