cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3842
Views
50
Helpful
47
Replies

Local NAT on ASA 5505

LSAEleander
Level 1
Level 1

Hello,

I'm quit new to these boards so I'll try to explain my problem as best as I can.

If something is missing or incorrect pls inform me so I can update.

I want to do a local NAT before a VPN IPSEC because my internal range is allready know at the customers site. I've set up the static NAT rules and access policy.

Here you have the config as it is on the ASA right now.

Local server IP: 10.0.74.5

Required NAT address: 192.168.222.1

Customer range: 10.10.10.0/24

VPN Config:

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 200.200.200.200

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key "key"

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 10.10.10.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

static (inside,outside) 192.168.222.1 10.0.74.5 netmask 255.255.255.255 -> 1-on-1 NAT

I'm allowing this first before I start narrowing it down to only ftp!

access-list outside_access_in extended permit tcp any host 192.168.222.1

access-list outside_access_in extended permit ip any host 192.168.222.1

access-list outboundnat2 permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 access-list outboundnat2

nat (inside) 1 0.0.0.0 0.0.0.0

Any help would be grately appreciated!

Kind regards,

Eleander

47 Replies 47

Jon Marshall
Hall of Fame
Hall of Fame

Eleander

You can remove this line

access-list outside_2_cryptomap extended permit ip host 10.0.74.5 10.10.10.0 255.255.255.0

because traffic will be from the Natted address ie. NAT happens before the crypto-map access-list check.

The remote peer needs to have a mirror image of this access-list so

access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 host 192.168.222.1

You could also remove the following

access-list outside_access_in extended permit tcp any host 192.168.222.1

as your next line permitting ip covers tcp. But then you say you will be looking to narrow that down.

The only other thing is you need to be aware that with a L2L VPN there are 2 ways in terms of acl's it can be setup

1) "sysopt connection permit-vpn" If you have this line in your config then traffic coming from the remote site down the tunnel is unencrypted and then it bypasses the acl attached to the outside interface ie. the acl on the outside interface does not have any effect on the traffic

2) If you don't have "sysopt connection permit-vpn" then the traffic will be then checked against the acl on the outside interface after being decrypted.

To see whether you are running sysopt connection permit-vpn run

"sh running-config sysopt"

I believe it is on y default.

Jon

Jon,

Thx for the quick reply.

Changed as you proposed but I can't find any sysopt connection entry.

Kind regards,

Eleander

Eleander

What is the output of running the command

sh running-config sysopt

if you want to turn off bypassing the acl then you will need to enter

asa(config)# no sysopt connection permit-vpn

but that is only if you want the traffic to be subject to your acl on the outside interface.

Jon

Jon,

No response, just a blank line.

Included the complete config in attachement!

Thx for the quick replies!

Okay no problem. I just checked the command references and this is on by default -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

So if you want to bypass the acl on the outside interface you don't need to do anything. If you want the incoming VPN traffic to be checked against the acl on the outside interface then you need to enter

asa(config)# no sysopt connection permit-vpn

Still bit of a mystery as to why it doesn't show the sysopt settings -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s6_72.html#wp1287358

Jon

Jon,

I've changed the config as you proposed and mailed the customer to try the connection again?

Did you by any chance had a look at the added config in my previous post? To see I didn't made any mistakes in the ACL's?

Kind regards,

Eleander

Eleander

You will need to add the following

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

FTP is a funny one. Do you know if it is passive ftp or not ?

If you have problems getting the FTP to work then you may need to adjust your acl. But first things first, need to see if the VPN tunnel comes up :-)

Jon

Jon

Jon,

I addedd the information you requested and also the FTP into the access-list. (see attached word doc)

But now I'm having these problems.

"Rejecting IPSec Tunnel: no matching crypto map entry for remote proxy 10.10.10.87/255.255.255.255/0/0 local proxy 192.168.222.1/255.255.255.255/0/0 on interface outside"

Looking into them right now.

What ACL am I missing?

Really appreciate you spending this much time to find a solution!

Kind regards,

Eleander

And here's teh attachement! :)

Eleander

Is this coming up on the ASA we have been modifying the config on ?

Do you happen to have the config for both devices ie. the one we have been dealing with and the other one ?

Just as a quick test could you add this line to your crypto-map access-list and retry

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 host 10.10.10.87

It really should not make a difference but just in case.

Jon

Jon,

Added the ACL but nothing changes.

In the attachement you can find the latest config.

We only manage this one firewall, which is a pitty and moreso because the firewall on the other site isn't a Cisco. :(

Before making your proposed change for the sysopt the L2L was working. SO it must be in the access lists!

Thx a lot.

Kind regards,

Eleander

Eleander

Can you remove the sysopt line and then let me know if it is working ie.

pix(config)# sysopt connection permit-vpn

Jon

Jon,

I also dug a little further and the site-to-site seems to be comming active.

There was a problem within the traffix selection for the L2L.

Thx a lot for the support on the access-list!

Just having this problem right now:

6 Nov 19 2008 16:58:29 302013 10.10.10.87 10.0.74.5 Built inbound TCP connection 5460 for outside:10.10.10.87/37590 (10.10.10.87/37590) to inside:10.0.74.5/21 (192.168.222.1/21)

6 Nov 19 2008 16:58:59 302014 10.10.10.87 10.0.74.5 Teardown TCP connection 5460 for outside:10.10.10.87/37590 to inside:10.0.74.5/21 duration 0:00:30 bytes 0 SYN Timeout

So connection goes through but time's out!

think changing/adding the ftp instead of the ftp-data will resolve my issue!

Thx a lot!!!

Eleander

Do you think you have it working now or at least know what to do ?

I'm dying to get out on my mountain bike but happy to hang around if you need further help.

Jon

Review Cisco Networking for a $25 gift card