Solved: VPN NAT Overlap subnets remote ASA interface does not reply

nickhesson · ‎07-11-2012

Hello all,

Not really a big problem, but not knowing the answer is killing me. This is what I have:

Host 1 <-> ASA 5505 <-> VPN connection<-> ASA5510 <-> Host 2

Both hosts can reach each other without issues. Ping, connect, no problem.

The problem is when one of the hosts trys to reach the inside interface of the remote ASA. E.g. Host 1 trying to ping ASA5510 inside interface. Again Host 1 and 2 have the same subnet address of 10.1.1.0/24. I have configured the ASA 5505 to do the the NAT translations.

Here is the ASA 5505 config (the parts that matter):

ASA Version 8.2(5)

!

hostname ASA5505

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.100.102 255.255.255.252

!

access-list vpnACL extended permit ip 10.1.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPNnat extended permit ip 10.1.1.0 255.255.255.0 10.1.30.0 255.255.255.0

access-list outacl extended permit icmp any any

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.1.20.0 access-list VPNnat

static (outside,inside) 10.1.30.0 10.1.1.0 netmask 255.255.255.0

!

access-group outacl in interface outside

!

route outside 0.0.0.0 0.0.0.0 192.168.100.101 1

!

crypto ipsec transform-set phase2 esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address vpnACL

crypto map outside_map 10 set peer 172.16.14.50

crypto map outside_map 10 set transform-set phase2

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

!

management-access inside

!

tunnel-group 172.16.14.50 type ipsec-l2l

tunnel-group 172.16.14.50 ipsec-attributes

pre-shared-key *****

Here is the 5510 config:

: Saved

:

ASA Version 8.4(3)

!

hostname ASA5510

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.16.14.50 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

object network insidehosts

subnet 10.1.1.0 255.255.255.0

object network Site443

subnet 10.1.20.0 255.255.255.0

!

access-list VPNacl extended permit ip object insidehosts object outsidehosts

access-list outacl extended permit icmp any any

!

nat (inside,outside) source static insidehosts insidehosts destination static Site443 Site443

!

access-group outacl in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.14.49 1

!

crypto ipsec ikev1 transform-set phase2p esp-aes esp-sha-hmac

crypto map outside_map 69 match address VPNacl

crypto map outside_map 69 set peer 192.168.100.102

crypto map outside_map 69 set ikev1 transform-set phase2p

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

!

management-access inside

!

tunnel-group 192.168.100.102 type ipsec-l2l

tunnel-group 192.168.100.102 ipsec-attributes

ikev1 pre-shared-key *****

Again, this configuration works for all hosts on both subnets. Except when hosts tries to ping the remote ASA's inside interface.

e.g. Host 1@10.1.1.50 pings/telnet to ASA2@10.1.30.1 fails.

Can anyone clue me as to why not?

Thanks for the time and support,

Nick

Jennifer Halim · ‎07-11-2012

NAT won't work on the ASA interfaces itself. NAT will only work for traffic passing through the ASA.

View solution in original post

Jennifer Halim · ‎07-11-2012

NAT won't work on the ASA interfaces itself. NAT will only work for traffic passing through the ASA.

nickhesson · ‎07-12-2012

Thanks Jennifer for the reply. Is that just an ASA rule? Or is there more of a technical reason why not? Because I see using debug icmp trace, the at ASA's receive the ICMP requests. But the ASA does not reply.

Again thanks for the reply.

Nick

Jennifer Halim · ‎07-12-2012

Yes, you are absolutely correct. It is by design the ASA interface will not get NATed.