Destination NAT over VPN

Rafael Mendes · ‎04-23-2013

Hello Everyone

I have a enviroment over VPN:

My asa version is 8.2(2)16.

VPN OVER INTERNET

Costomer Network 192.168.11.0/24 <----------------------------------------------> 172.17.2.0/24 My Network

My ip overlaps a other range in custumer network, so the costomer needs to send a packet in a network 10.12.100.0/24 and i need to translate this for the original network 172.17.2.0, the translation must be done server by server(172.17.2.10 to 10.12.100.10, 172.17.2.20 to 10.12.100.20.....).

So, i create this nat rules:

static (inside,outside) 10.12.100.218 172.17.2.218 netmask 255.255.255.255 tcp 0 0 udp 0

My crypto map rule is:

access-list outside_11_cryptomap line 1 extended permit ip 10.12.100.0 255.255.255.0 192.168.11.0 255.255.255.0

I receive the error:

IKE Initiator unable to find policy: Intf outside, Src: 10.12.100.218, Dst: 192.168.11.250

The traffic must be only Costomer Network to my network, doesn't traffic for my network to costomer network.

Ths tunnel is UP, but not works.

fwvpnasa# show crypto ipsec sa peer X.X.X.X

peer address: X.X.X.X

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr:X.X.X.X

local ident (addr/mask/prot/port): (10.12.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)

current_peer: X.X.X.X

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 1731, #pkts decrypt: 1731, #pkts verify: 1731

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: X.X.X.X/4500, remote crypto endpt.: X.X.X.X/5056

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: 9B1358AF

current inbound spi : A8A054D1

inbound esp sas:

spi: 0xA8A054D1 (2829079761)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, }

slot: 0, conn_id: 48312320, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4373898/20119)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x9B1358AF (2601736367)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, }

slot: 0, conn_id: 48312320, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4374000/20119)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

What is wrong?

Tks!

Jouni Forss · ‎04-23-2013

Hi,

We it seems strange to me that the above output hasnt hit any L2L VPN configuration in your cryptomap configurations. So there must be some missmatch with your NAT and Crypto Map configurations for the L2L VPN connection.

Would really need to see the ASA configurations to determine the cause for this problem.

- Jouni

abcdrohan · ‎04-23-2013

So essentially what you want to do is go across the tunnel to cutomer side as something else other than 172.17.2.0/24

You can easily achieve this using policy-nat VPN

create an acl

acl 103 extended permit ip 172.17.2.0/24 to 19.168.11.0/24

use acl created above in static

static (inside,outside) 10.12.100.0 access-list 103

Crypto acl will be as follows on your ASA

acl crypto-acl 10.12.100.0/24 to 192.168.11.0/24

Crypto acl on customer's asa will be as follows

acl crytoacl 192.168.11.0/24 to 10.12.100.0/24

This should do it for you

Rafael Mendes · ‎04-23-2013

Tks Guys!

I recreate the crypto map with the same parameters and reset the tunnel.

Now is working fine.

Tks again!