Solved: NAT'd VPN doesn't give reply address to other end

IcebergTitanic · ‎09-21-2011

We need to configure a L2L VPN to another site for the purpose of doing secure backups to a hosted backup service. Because they handle multiple clients, we can't do a non-NAT VPN to them, as they can't sort out all the different private IP ranges from everyone, so we have to use the external IP address.

We've set it up so that there is a global pool for a one of the available outside IP addresses.

There is an network object group containing the internal IP addresses of the servers to be backed up.

There is a NAT rule that uses an ACL for connections from the backed-up servers' inside IP addresses to the destination VPN target IP.

Tunnels and crypto maps are fine, confirmed matches of both the encryption setup and the preshared key.

IKE phase 1 completes fine.

However, it gets dumped after that, because the other end claims that our network isn't can't find a match in their tunnels list. When they look at the logs, our side is presenting 0.0.0.0 as our network, rather than the NAT'd external IP address.

I can confirm that the NATing itself works. Packet trace shows it NATing, xlate table shows the nat'd IP, and even browsing out to What is My IP shows NAT'd address.

Ideas?

Excerpts from sanitized config below: ASA 8.2(3)

(Please ignore minor errors in IP addresses. They're probably typos due to sanitizing...)

--------------------------------

object-group network BackedupServersOutside

network-object host 99.99.99.60

object-group network BackedupServersInside

network-object host 10.0.0.1

network-object host 10.0.0.2

network-object host 10.0.0.3

object-group network BackupTargets

network-object host 192.168.90.154

network-object host 192.168.90.149

access-list Servers_NAT extended permit ip object-group BackedupServersInside any

access-list VPN_to_Backups extended permit ip any object-group BackupTargets

global (Outside) 5 99.99.99.60

global (Outside) 10 interface

nat (Inside) 0 access-list no_nat

nat (Inside) 5 access-list Servers_NAT

nat (Inside) 10 access-list nat

crypto ipsec transform-set remote_transform esp-3des esp-md5-hmac

crypto ipsec transform-set BackupTransform esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map remote_map 90 set transform-set remote_transform

crypto dynamic-map remote_map 90 set reverse-route

crypto map crypto_map 10 match address VPN_to_Backups

crypto map crypto_map 10 set peer 65.65.65.100

crypto map crypto_map 10 set transform-set BackupTransform

crypto map crypto_map 90 ipsec-isakmp dynamic remote_map

crypto map crypto_map interface Outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 30

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

svc keepalive none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

customization value DfltCustomization

tunnel-group 65.65.65.100 type ipsec-l2l

tunnel-group 65.65.65.100 ipsec-attributes

pre-shared-key *****

----------------

Excerpt from Crypto ISAKMP debugging:

----------------

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE Initiator: New Phase 1, Intf Equipment, IKE Peer 65.65.65.100 local Proxy Address 0.0.0.0, remote Proxy Address 192.168.90.154, Crypto map (crypto_map)

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing ISAKMP SA payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing NAT-Traversal VID ver 02 payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing NAT-Traversal VID ver 03 payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing NAT-Traversal VID ver RFC payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing Fragmentation VID + extended capabilities payload

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing SA payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Oakley proposal is acceptable

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Received NAT-Traversal ver 02 VID

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Received Fragmentation VID

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing ke payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing nonce payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing Cisco Unity VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing xauth V6 VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Send IOS VID

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing NAT-Discovery payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, computing NAT Discovery hash

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, constructing NAT-Discovery payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, computing NAT Discovery hash

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing ke payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing ISA_KE payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing nonce payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Received Cisco Unity client VID

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Received xauth V6 VID

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Received Altiga/Cisco VPN3000/Cisco ASA GW VID

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing NAT-Discovery payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, computing NAT Discovery hash

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, processing NAT-Discovery payload

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, computing NAT Discovery hash

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, Connection landed on tunnel_group 65.65.65.100

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, Generating keys for Initiator...

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing ID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing hash payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, Computing hash for ISAKMP

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Constructing IOS keep alive payload: proposal=32767/32767 sec.

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing dpd vid payload

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 114

Sep 20 16:27:09 [IKEv1]: Group = 65.65.65.100, IP = 65.65.65.100, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, processing ID payload

Sep 20 16:27:09 [IKEv1 DECODE]: Group = 65.65.65.100, IP = 65.65.65.100, ID_IPV4_ADDR ID received

65.65.65.100

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, processing hash payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, Computing hash for ISAKMP

Sep 20 16:27:09 [IKEv1 DEBUG]: IP = 65.65.65.100, Processing IOS keep alive payload: proposal=32767/32767 sec.

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, processing VID payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, Received DPD VID

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, Connection landed on tunnel_group 65.65.65.100

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, Oakley begin quick mode

Sep 20 16:27:09 [IKEv1 DECODE]: Group = 65.65.65.100, IP = 65.65.65.100, IKE Initiator starting QM: msg id = 93344904

Sep 20 16:27:09 [IKEv1]: Group = 65.65.65.100, IP = 65.65.65.100, PHASE 1 COMPLETED

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, Keep-alive type for this connection: DPD

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, Starting P1 rekey timer: 82080 seconds.

IPSEC: New embryonic SA created @ 0xD8C5C8F0,

SCB: 0xD8C97F60,

Direction: inbound

SPI : 0x5385D238

Session ID: 0x038DE000

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, IKE got SPI from key engine: SPI = 0x5385d238

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, oakley constucting quick mode

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing blank hash payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing IPSec SA payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing IPSec nonce payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing proxy ID

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, Transmitting Proxy Id:

Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0

Remote host: 192.168.90.154 Protocol 0 Port 0

Sep 20 16:27:09 [IKEv1 DECODE]: Group = 65.65.65.100, IP = 65.65.65.100, IKE Initiator sending Initial Contact

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing qm hash payload

Sep 20 16:27:09 [IKEv1 DECODE]: Group = 65.65.65.100, IP = 65.65.65.100, IKE Initiator sending 1st QM pkt: msg id = 93344904

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE SENDING Message (msgid=93344904) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 188

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE RECEIVED Message (msgid=aa21e4e3) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, processing hash payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, processing delete

Sep 20 16:27:09 [IKEv1]: Group = 65.65.65.100, IP = 65.65.65.100, Connection terminated for peer 65.65.65.100. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, sending delete/delete with reason message

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing blank hash payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing IPSec delete payload

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, constructing qm hash payload

Sep 20 16:27:09 [IKEv1]: IP = 65.65.65.100, IKE_DECODE SENDING Message (msgid=49a40e5a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, IKE Deleting SA: Remote Proxy 192.168.90.154, Local Proxy 0.0.0.0

Sep 20 16:27:09 [IKEv1]: Group = 65.65.65.100, IP = 65.65.65.100, Removing peer from correlator table failed, no match!

Sep 20 16:27:09 [IKEv1 DEBUG]: Group = 65.65.65.100, IP = 65.65.65.100, IKE SA MM:3796ec4f terminating: flags 0x0100c822, refcnt 0, tuncnt 0

Sep 20 16:27:09 [IKEv1]: Group = 65.65.65.100, IP = 65.65.65.100, Session is being torn down. Reason: User Requested

Sep 20 16:27:09 [IKEv1]: Ignoring msg to mark SA with dsID 59629568 dead because SA deleted

Sep 20 16:27:09 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x5385d238

------------------

I'm assuming that I shuold be seeing the "Local Proxy" as 99.99.99.60 and not 0.0.0.0 but how to fix it?

Jon Marshall · ‎09-21-2011

Dan

change your crypto map acl VPN_to_Backups from -

access-list VPN_to_Backups extended permit ip any object-group BackupTargets

to

access-list VPN_to_Backups permit ip object-group BackedupServersOutside object-group BackupTargets

Jon

View solution in original post

IcebergTitanic · ‎09-21-2011

p.s. - Also ignore references to "Equipment" in the debug, those were not sanitized to "Inside". =)

Jon Marshall · ‎09-21-2011

Dan

change your crypto map acl VPN_to_Backups from -

access-list VPN_to_Backups extended permit ip any object-group BackupTargets

to

access-list VPN_to_Backups permit ip object-group BackedupServersOutside object-group BackupTargets

Jon

IcebergTitanic · ‎09-21-2011

Well I'll be a *&$%^#@$^@#$^236ing duck.

Thanks. =)