cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
0
Helpful
8
Replies

Help with VPN/NAT/routing interactions

evan.r.moore
Level 1
Level 1

I need more eyes to review my situation.

I have two ASA 5520 units, both running version 8.3(2) code.  Among many other uses, they have an IPSec tunnel between them to link office 1 and office 3 together.  Office 2 does exist, and is connected to a different port on the ASA in office 3; there is no IPSec involved with office 3.

Here's the diagram:

Host SAM -------- Office 1 ASA ---------- IPSec tunnel --------- Office 3 ASA ------------- direct ethernet --------------------- Host FRED at Office 2

                                                                                               |

                                                                                               |

                                                                                         Host JANE

SAM can ping JANE.  JANE can ping SAM.  The Office 3 ASA can ping FRED.  FRED can ping the Office 3 ASA.  JANE can ping FRED.  FRED can not ping JANE, by design.  When SAM pings FRED, FRED receives the packet, but NAT has not been applied to the source IP address (which is what I'm trying to do, and which does happen when JANE pings FRED), and therefore FRED does not have a route for the response.

Here are the parts of the configuration on Office 3 ASA which I believe are relevant:

: Saved

:

ASA Version 8.3(2)

!

same-security-traffic permit intra-interface

!

nat (any,itrunk) source static rfc-nets rfc-nets destination static rfc-nets rfc-nets

!

object network office3

nat (server-lan,itrunk) dynamic OFFICE3-POOL

object network vpnpool

nat (itrunk,itrunk) dynamic OFFICE3-POOL

!

nat (server-lan,office2) after-auto source dynamic office3 interface

nat (itrunk,office2)     after-auto source dynamic office1 interface

nat (any,office2)        after-auto source dynamic rfc-nets interface

!

access-group inbound10 in interface itrunk

access-group everything in interface office2

!

icmp unreachable rate-limit 1 burst-size 1

icmp permit 10.0.0.0 255.0.0.0 server-lan

icmp permit 10.0.0.0 255.0.0.0 itrunk

icmp permit 10.0.0.0 255.0.0.0 office2

!

access-list office_vpn extended permit ospf interface itrunk       host OFFICE1-OUTSIDE

access-list office_vpn extended permit ip   object-group office3   object-group office1

access-list office_vpn extended permit ip   object office2         object-group office1

!

access-list everything extended permit tcp any any

access-list everything extended permit udp any any

access-list everything extended permit icmp any any

!

crypto map vpn 10 match address office_vpn

crypto map vpn 10 set peer OFFICE1-OUTSIDE

crypto map vpn 10 set transform-set AES-256

crypto map vpn interface itrunk

!

end

What am I missing?

As you can see, I want to NAT any traffic going towards office 2 to have as a souce address the interface address of the Office 3 ASA.  This is because office 2 has a restricted routing configuration.  Recall from above that when JANE pings FRED, this NAT happens and everything works.  When SAM pings FRED, the NAT does not happen, as seen in debugs collected on FRED.

I'd really appreciate and and all help.

ERM

Bitwrangler for FirstLight Fiber Corp
8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Is there a typo in the above post?

I mean the fact that you mention that Office2 is connected to other port in Office3 even though the ASCII picture says that Office2 is behind Office1?

Also where exactly is JANE localted? Behind Office3 ASA or behind Office1 ASA ?

From the above I also got the picture that you want to PAT translate all traffic leaving from Office3 to Office1? Yet you are trying to PING from Office1 to a host on Office3? You can't PING a host which only has PAT translation.

Might be that I have misunderstood something.

- Jouni

EDIT: Typo can -> can't

Or is the Office2 word gotten moved to a second row/line in the post and is because of that below the word "Host SAM"

I guess the Cisco Support forums posts width is just messing up where the Office2 is positioned.

Can you provide the following information

- interface name behind which JANE is located

- inteface on Office3 ASA that is towards Office1

- Jouni

Jouni -

You are correct about the perils of horizontal diagrams.  Here it is vertically:

SAM

|

|

Office 1 ASA

|

|

IPSec tunnel

|

|

Office 3 ASA ---- JANE

|

|

direct ethernet

|

|

FRED at Office 2

I don't have it in front of me, but for Office 3, I believe itrunk, which has the IPSec tunnel, is GigabitEthernet0/2; server-lan, which is the connection to JANE, is GigabitEthernet0/0; and office2, which is the direct link to that office, is GigabitEthernet0/2.26 (yes, a vlan subinterface, but that's not suppose to make a difference :->).

- ERM

Bitwrangler for FirstLight Fiber Corp

Hi,

Ok seems to be a clearer situation now

I've been looking through this and the only thing that to my eye could be causing problems with NATing traffic from Office1 to Office2 is the first NAT command. I might be wrong but this would be my guess without getting to look at the situation through CLI/ASDM myself.

nat (any,itrunk) source static rfc-nets rfc-nets destination static rfc-nets rfc-nets

I assume the "rfc-nets" object-group/object contains the Office1 network(s)? Which networks does it contain?

Looking at the NAT configurations provided I would guess they are used for following purposes:

nat (any,itrunk) source static rfc-nets rfc-nets destination static rfc-nets rfc-nets

  • A sort of NAT Exempt/NAT0 for L2L VPN traffic between Offices
  • If the above is the case I would personally configure it abit differently and more specifically even though it results in more NAT rules.

object network office3

nat (server-lan,itrunk) dynamic OFFICE3-POOL

  • NAT Pool configuration for traffic from Office3 to Office1

object network vpnpool

nat (itrunk,itrunk) dynamic OFFICE3-POOL

  • NAT Pool configuration for VPN Clients connecting to Office3 ASA to reach Office1

nat (server-lan,office2) after-auto source dynamic office3 interface

  • Default PAT for Office3 users to Office2

nat (itrunk,office2)     after-auto source dynamic office1 interface

  • Default PAT for Office1 users to Office2

nat (any,office2)        after-auto source dynamic rfc-nets interface

  • Default PAT used for all that dont match the above

Have you tried the "packet-tracer" command either through CLI or the ASDM? You could use it to simulate some connectiong from SAM to FRED (If not allowed already make some access-list rule allowing the test connection) and see what NAT configuration is applied to the connection attempt

Format for the command is

packet-tracer input itrunk tcp

If I understood correctly you are expecting the connection (that aint working) to hit either of these 2 NAT rules

nat (itrunk,office2)     after-auto source dynamic office1 interface

nat (any,office2)        after-auto source dynamic rfc-nets interface

Could you confirm what networks/users the "rfc-nets" contains? Does it include the Office1 network?

- Jouni

Jouni,

You are correct that the rfc-nets rule is for NAT exemption on the L2L, and it covers the LAN subnets of all the offices and a bunch of others (all RFC1918 IPs).  While I appreciate the point about making it more specific, it's still the case that it will cover the IPs of SAM, JANE, and FRED, since all of those should be exempt when in the IPSec tunnel, correct?

Here's the packet-tracer results.  I've never been clear how useful they are when crypto maps are involved:

packet input itrunk tcp 10.1.2.1 6543 10.2.2.249 23

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (any,itrunk) source static rfc-nets rfc-nets destination static rfc-nets rfc-nets

Additional Information:

NAT divert to egress interface server-lan

Untranslate 10.2.2.249/23 to 10.2.2.249/23

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: itrunk

input-status: up

input-line-status: up

output-interface: server-lan

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Observe that these results are wrong in two ways, (1) acl-drop, and (2) output on the server-lan interface.  The reality, when I send traffic from SAM to FRED, is that the packets arrive at FRED but without translated source IP addresses.

Thanks again.

- ERM

Bitwrangler for FirstLight Fiber Corp

Hi,

Again to clarify . (Though now after reading it through myself it might do just the opposite )

You actually stated that you want to PAT all connections coming from Office1 and Office3 to the Office2 interace IP address since theres some problem with routing. (I guess PATing to the connected network avoids the routing problem) Office3 PAT to my understanding is working but the traffic coming through the L2L VPN is not beeing PATed.

Wouldnt it be in this case that you SHOULD NOT configure any NAT Exemption type configurations? To my understanding the NAT configuration mentioned earlier by me, the one showing in the packet-tracer above works both ways and therefore as all the used objects are identical it keeps the original source address of Office1 instead of NATing it and overrides the PAT configurations you have for Office2 interface from itrunk interface (Office1 -> Office2 traffic doesnt get NATed, but Office3 -> Office2 falls to the PAT rule)

Wont the above mentioned (packet-tracer) NAT command also override the OFFICE3-POOL configurations you have for Office3 LAN and the Office3 VPN Clients? Since the source interface is "any" and the destination interface is "itrunk".

You could confirm if the POOL configurations are used by issuing the packet-tracer command with input interface of server-lan and its source IP address and destination IP address of Office1. To my understanding that kind of packet-tracer command would result in the same NAT rule applied as the above output you posted. I might be wrong but could you test it?

I'm also kinda wondering why the packet-tracer states that the output interface is Office3 local interface though. To my understanding your ASA should determine the output interface with route-lookup and NAT shouldnt affect it.

Sorry if the reply was abit confusing. Maybe I'll look this through again tomorrow. It would be easier to get the big picture if I could see the whole configuration (could probably even lab it then). Would be interesting to go through the setup as nothing teaches you more about devices operation than trying to fix something that aint working

- Jouni

Full config and a nice topology would be great

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: