cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2792
Views
0
Helpful
32
Replies

ASA Outside NAT Problem!!!

andyc0313
Level 1
Level 1

Hi everybody,

My situation is as follows:
My Pre 8.3 ASA is connected to two outside networks: the ISP with security level 0, and a separate agency network with security level 10.  We are having a problem connecting to the agency network from a L2L VPN tunnel coming through the ISP interface.  These VPN branch users can communicate with our entire corporate network and I'm currently using outside-to-outside nat to get them to talk to the internet out the same ISP interface they come in through, but they can't talk to the agency network at all. *All inside users have full communication with the agency network.*  

I receive the following error:
------------------------------
asa1# sh nat outside agency
ERROR: No matching NAT policy found
------------------------------
If I statically nat one user from the VPN branch to one of the agency pool addresses, I have full connectivity between that VPN user and the agency network.
This command makes it work: static (outside,agency) 16x.5x.1x.12x 10.18.1.1

My configuration:
nat (outside) 20 access-list vpn_outside_nat
nat (inside) 0 access-list NONAT
nat (inside) 30 access-list inside_nat_outbound
nat (inside) 20 0.0.0.0 0.0.0.0
global (agency) 20 16x.5x.1x.1x-1x.5x.1x.12x
global (agency) 20 16x.5x.1x.1x
global (outside) 20 20x.1x.2x.1x
global (outside) 10 20x.1x.2x.1x netmask 255.255.255.0
global (outside) 30 20x.1x.2x.1x netmask 255.255.255.255

access-list vpn_outside_nat extended permit ip 10.0.0.0 255.0.0.0 any

access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0

access-list inside_nat_outbound extended permit ip host 192.168.1.12 any

 


Please let me know if you need any more information to help.  I appreciate any answers!  
Thanks!

32 Replies 32

mickyq
Level 1
Level 1

If Im reading this correctly you are trying to connect two VPN sites through the same interface.

try: (config)#same-security-traffic permit intra-interface

this allows communication between peers connected to the same interface

Thanks for the reply.  That isn't what I'm trying to accomplish, though.  That particular part already works just fine. These are two different interfaces (outside, sec.=0, agency, sec.=10).  The issue is that the VPN users on the outside interface can't communicate with the users in the agency network.

Are the VPN user connecting over a site to site VPN or is this a remote access VPN solution?

is the agency network traffic comming in on the agency interface?  if so then you are missing a no nat statement for that interface.

If that doesn't work, please post a network diagram indicating how the agency network and VPN network connects to the ASA.

Also run a packet tracer while the VPN user PC is connect to the VPN and post the results here.

packet-tracer input agency tcp <agency IP> 12345 <VPN IP> 80 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

The VPN users are connecting over a site to site VPN from an 1841 to the ASA.

I tried the no nat statement for the agency interface, and still no communication.  I even tried a dynamic nat statement for it, and still nothing.

 

Here's the output of the packet-tracer:

asa1# packet- input agency tcp 1xx.5x.3x.1x 12345 10.18.1.1 80 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_agency in interface agency
access-list acl_agency extended permit ip host 1xx.5x.3x.1x 10.0.0.0 255.0.0.0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb954718, priority=12, domain=permit, deny=false
        hits=1, user_data=0xcbf4fc78, cs_id=0x0, flags=0x0, protocol=0
        src ip=1xx.5x.3x.1x, mask=255.255.255.255, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc88014f8, priority=0, domain=permit-ip-option, deny=true
        hits=496265, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb8c98b0, priority=70, domain=inspect-http, deny=false
        hits=20, user_data=0xcb8c8fb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcc99ae50, priority=70, domain=encrypt, deny=false
        hits=35412, user_data=0x132f3dac, cs_id=0xd4f14878, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.18.0.0, mask=255.255.0.0, port=0

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd06f1c50, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=38406, user_data=0x132f6b24, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.18.0.0, mask=255.255.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 20 access-list vpn_outside_nat
  match ip outside 10.0.0.0 255.0.0.0 outside any
    dynamic translation to pool 20 (2x.1x.2x.1x)
    translate_hits = 80054, untranslate_hits = 7242
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd4f0e198, priority=2, domain=host, deny=false
        hits=265627, user_data=0xcd09b6d8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xc87f2bc0, priority=0, domain=permit-ip-option, deny=true
        hits=864567193, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1039870772, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: agency
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

From the output of the packet tracer I would say that the problem is at the remote s2s vpn device.  The packet is allowed and it is entering and exiting the correct interfaces.

Have a look at the remote device..if you have admin access to it that is. Otherwise as the administrators of the remote site to check their configuration, more specifically their no nat statements and the crypto ACLs.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I've looked at the remote 1841 and everything looks fine.  There is no nat being performed at all, because it is used strictly for VPN access, and the crypto ACLs specify that anything coming from 10.18.0.0 (that branch's subnet) should be placed in the tunnel.

Traffic flows from this VPN network to ANYWHERE else just fine (inside and outside) through our ASA.  It just doesn't go to the agency network.

Could you please post a network diagram of how this solution connects together.

How are you testing the connectivity over the VPN?

On the ASA...and on the 1841 router issue the command show crypto ipsec sa and show crypto isakmp (the isakmp command might differ on the ASA depending on the version you are running).

Please post a full running config of both sides of the tunnel (sanitised) aswell.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I've attached a small diagram illustrating the network.  

To test connectivity from the VPN, I'm simply pinging from a client on that network to a client on the agency network.  The VPN clients are private addresses and the agency network is all public addresses.

Here's the output on the 1841:

xxxx-xx-1841#sh crypto ipsec sa

interface: FastEthernet0/0/0
    Crypto map tag: CRYPTO-MAP, local addr 2xx.1xx.2xx.2xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.18.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 2xx.1xx.2xx.1xx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 43532623, #pkts encrypt: 43532623, #pkts digest: 43532623
    #pkts decaps: 45942079, #pkts decrypt: 45942079, #pkts verify: 45942079
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2150, #recv errors 8

     local crypto endpt.: 2xx.1xx.2xx.2xx, remote crypto endpt.: 2xx.1xx.2xx.1xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0/0
     current outbound spi: 0x636A5937(1667914039)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xFDEEF343(4260295491)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2263, flow_id: FPGA:263, sibling_flags 80000046, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4417816/3413)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x636A5937(1667914039)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2264, flow_id: FPGA:264, sibling_flags 80000046, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4427473/3413)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

 

 

Here's the output on the ASA:

asa1# sh crypto isakmp

   Active SA: 9
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 9


5   IKE Peer: 2xx.1xx.2xx.2xx
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Global IKE Statistics
Active Tunnels: 8
Previous Tunnels: 11083
In Octets: 4196166801
In Packets: 1330363
In Drop Packets: 580269
In Notifys: 104767
In P2 Exchanges: 54915
In P2 Exchange Invalids: 107
In P2 Exchange Rejects: 42300
In P2 Sa Delete Requests: 19
Out Octets: 159932732
Out Packets: 1428588
Out Drop Packets: 2343
Out Notifys: 631581
Out P2 Exchanges: 21275
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 29494
Initiator Tunnels: 109440
Initiator Fails: 108383
Responder Fails: 143692
System Capacity Fails: 0
Auth Fails: 143040
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 394232

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

 

Running-config on 1841:

Building configuration...

Current configuration : 2315 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain lookup source-interface FastEthernet0/1.181
ip name-server 10.1.4.22
ip name-server 192.168.1.53
!
multilink bundle-name authenticated
!
password encryption aes
!
!
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 6 xxx address 2xx.1xx.2xx.1xx
!
!
crypto ipsec transform-set TRANSFORM-SET esp-3des esp-sha-hmac
!
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 2xx.1xx.2xx.1xx
 set transform-set TRANSFORM-SET
 match address VPN-TRAFFIC
!
!
!
!
track 1 interface FastEthernet0/0 line-protocol
!
!
!
interface Loopback1
 no ip address
 shutdown
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.181
 encapsulation dot1Q 181
 ip address 10.18.1.1 255.255.255.0
 ip helper-address 10.1.4.22
 ip helper-address 192.168.1.58
!
interface FastEthernet0/1.182
 encapsulation dot1Q 182
 ip address 10.18.2.1 255.255.255.0
 ip helper-address 10.1.4.22
 ip helper-address 192.168.1.58
!
interface FastEthernet0/0/0
 ip address 2xx.1xx.2xx.2xx 255.255.255.252
 ip access-group block_untrusted_remote in
 duplex auto
 speed auto
 crypto map CRYPTO-MAP
!
interface FastEthernet0/0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 2xx.1xx.2xx.2xx
no ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.18.0.0 0.0.255.255 any
ip access-list extended block_untrusted_remote
 permit ip 2xx.1xx.2xx.1xx 0.0.0.15 any
 permit ip host 2xx.1xx.2xx.2xx host 2xx.1xx.2xx.2xx

 

 

Running-config on ASA:

hostname asa1
names
name 192.168.6.0 VLAN6
name 192.168.4.0 VLAN4
name 192.168.5.0 VLAN5
name 192.168.0.0 Inside-subnet
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 2xx.1xx.2xx.178 255.255.255.240
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.12.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif agency
 security-level 10
 ip address 1xx.5xx.1xx.3 255.255.255.128
!
interface GigabitEthernet0/3
 description DMZ interface
 nameif DMZ2
 security-level 50
 ip address 10.30.30.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 0
 ip address 10.10.10.3 255.255.255.0
!

!
time-range 5:30p
 absolute end 17:30 17 January 2014
!
boot system disk0:/asa803-k8.bin
ftp mode passive

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list acl_agency extended permit ip any host 1xx.5xx.1xx.123
access-list acl_agency extended permit ip host 1xx.5xx.3xx.130 10.0.0.0 255.0.0.0


access-list inside_nat_outbound extended permit ip host 192.168.1.12 any

access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0
access-list l2l_vpn-branch extended permit ip any 10.18.0.0 255.255.0.0
access-list vpn_outside_nat extended permit ip 10.0.0.0 255.0.0.0 any

mtu outside 1500
mtu inside 1500
mtu agency 1500
mtu DMZ2 1500
mtu management 1500
no failover
failover polltime unit 15 holdtime 45
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400

global (outside) 20 2xx.1xx.2xx.190
global (outside) 10 2xx.1xx.2xx.185 netmask 255.255.255.0
global (outside) 30 2xx.1xx.2xx.184 netmask 255.255.255.255
global (agency) 20 1xx.5xx.1xx.10-1xx.5xx.1xx.122
global (agency) 20 1xx.5xx.1xx.125
nat (outside) 20 access-list vpn_outside_nat
nat (inside) 0 access-list NONAT
nat (inside) 30 access-list inside_nat_outbound
nat (inside) 20 0.0.0.0 0.0.0.0

static (inside,agency) 1xx.5xx.1xx.123 10.1.4.45 netmask 255.255.255.255

access-group acl_out in interface outside
access-group acl_inside in interface inside
access-group acl_agency in interface agency

route inside 10.18.0.0 255.255.0.0 192.168.12.2 1 track 1
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.177 1
route inside 10.1.0.0 255.255.0.0 192.168.12.2 1
route inside 10.2.0.0 255.255.0.0 192.168.12.2 1
route inside 10.3.0.0 255.255.0.0 192.168.12.2 1
route inside 10.4.0.0 255.255.0.0 192.168.12.2 1
route inside 10.5.0.0 255.255.0.0 192.168.12.2 1
route inside 10.6.0.0 255.255.0.0 192.168.12.2 1
route inside 10.7.0.0 255.255.0.0 192.168.12.2 1
route inside 10.8.0.0 255.255.0.0 192.168.12.2 1
route inside 10.9.0.0 255.255.0.0 192.168.12.2 1
route inside 10.10.0.0 255.255.0.0 192.168.12.2 1
route inside 10.11.0.0 255.255.0.0 192.168.12.2 1
route inside 10.12.0.0 255.255.0.0 192.168.12.2 1
route inside 10.13.0.0 255.255.0.0 192.168.12.2 1
route inside 10.14.0.0 255.255.0.0 192.168.12.2 1
route inside 10.16.0.0 255.255.0.0 192.168.12.2 1
route inside 10.17.0.0 255.255.0.0 192.168.12.2 1
route agency 1xx.1xx.1xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route agency 1xx.5xx.3xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route agency 1xx.5xx.6xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route inside 172.16.0.0 255.255.0.0 192.168.12.2 1
route inside 172.17.0.0 255.255.0.0 192.168.12.2 1
route inside 172.19.0.0 255.255.0.0 192.168.12.2 1
route inside 172.31.0.0 255.255.0.0 192.168.12.2 1
route inside 172.32.0.0 255.255.0.0 192.168.12.2 1
route inside 192.168.1.0 255.255.255.0 192.168.12.2 1
route inside 192.168.2.0 255.255.255.0 192.168.12.2 1
route inside 192.168.3.0 255.255.255.0 192.168.12.2 1
route inside VLAN4 255.255.255.0 192.168.12.2 1
route inside VLAN5 255.255.255.0 192.168.12.2 1
route inside VLAN6 255.255.255.0 192.168.12.2 1
route inside 192.168.8.0 255.255.255.0 192.168.12.2 1
route inside 192.168.11.0 255.255.255.0 192.168.12.2 1
route inside 192.168.13.0 255.255.255.0 192.168.12.2 1
route inside 192.168.254.0 255.255.255.0 192.168.12.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

http server enable
http 10.2.0.0 255.255.0.0 inside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside

sla monitor 1
 type echo protocol ipIcmpEcho 10.18.1.1 interface inside
 num-packets 3
 timeout 1000
 frequency 3
sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set esp-des esp-des esp-none
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map CHCS 10 match address l2l_vpn-branch
crypto map CHCS 10 set peer 2xx.1xx.2xx.2xx
crypto map CHCS 10 set transform-set ESP-3DES-SHA
crypto map CHCS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
no crypto isakmp nat-traversal
!
track 1 rtr 1 reachability

management-access management
priority-queue outside
  queue-limit   2000
  tx-ring-limit 15
priority-queue inside
  queue-limit   2000
  tx-ring-limit 15
threat-detection basic-threat
threat-detection statistics

tunnel-group 2xx.1xx.2xx.2xx type ipsec-l2l
tunnel-group 2xx.1xx.2xx.2xx ipsec-attributes
 pre-shared-key *
!

!

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect icmp
policy-map global-policy
 class inspection_default
!
service-policy global_policy global

Just out of curiosity, any reason why you have this in your configuration on the 1841?

interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 track 1

Should the following command be pointing out the outside interface, isn't the 1841 located off the outside interface? If so then this is part of the problem. change it to point out the correct interface and correct next hop IP.

route inside 10.18.0.0 255.255.0.0 192.168.12.2 1 track 1

Also you need to have a no NAT for the agency interface.

nat (agency) 0 access-list NONAT

Please correct these and test, and let us know how it goes.

--

Please select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

That statement on the 1841 and ASA were for testing a failover between INSIDE MPLS and OUTSIDE VPN.  We haven't gotten to that point yet but it was in the works.  The routing tables on both the 1841 and the ASA are both using their default routes at the moment for communication.  You can ignore the statements referring to tracking objects, sorry I didn't mention it.

I tried adding a nat exemption statement on the ASA again and it didn't make a difference.  I have a strong feeling that my troubles are somehow because of this error. When I added the NONAT statement, I was at least able to get an output from the first command, but still not the second, as mentioned in my first post.

 

asa1# sh nat agency outside
  match ip agency any outside 10.0.0.0 255.0.0.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
asa1# sh nat outside agency
ERROR: No matching NAT policy found

 

jpl861
Level 4
Level 4

Can you check if this is correct?

global (agency) 20 1xx.5xx.1xx.10-1xx.5xx.1xx.122
global (agency) 20 1xx.5xx.1xx.125
nat (outside) 20 access-list vpn_outside_nat

 

From what I can see there, you are translating the 10.18.0.0/16 remote network into a 1xx.5xx.1xx. IP.

 

Try to do this:

 

nat (outside) 0 access-list outside_to_agency_nonat

 

access-list outside_to_agency_nonat permit ip 10.18.0.0 0.0.255.255 any

I've tried that, but they still don't communicate.  I believe we need to be nat'ing to those global ip's in order to communicate with the agency network.  

The problem seems to be that it's NOT translating the 10.18.0.0 network into a 1xx.5xx.1xx.xxx IP.  NAT doesn't seem to be working on anything going from the outside to the agency interface, for some reason.

Just for clarification, the no nat statement needs to be implemented on the ingress interface for the non-encrypted traffic...so in this case the agency interface and not the outside interface.

Also when doing VPN you do not want to translate the VPN traffic to the public IP...this is the reason for the no nat.

I suggest issuing the command clear xlate and then test connectivity.  If this setup is currently in use do so outside of working hours or during a service window...or atleast tell your users that they will lose connectivity for a short period of time.  I am thinking that you have had a NAT statement in your configuration that has included the agency subnet and it has not timed out.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Okay, I've tried to put a nat exemption coming from the agency interface and cleared the translation tables, but still no connectivity.  Any ideas?

Review Cisco Networking for a $25 gift card