Solved: Re: Natting on ASA for VPN tunnel

jkay18041 · ‎01-11-2022

Hopefully I can explain this well enough.

I have a hub that is an ASA and I want to create a VPN to an asa on Spoke A.

The hub inside is 10.19.1.0 and the remote side is 10.1.1.0

On spoke A the true inside is 192.168.1.0 but I am wanting to NAT 10.1.1.0 to 192.168.1.0 so I can avoid Spoke B which has the same IP scheme.

I've created a IPsec IKE2 tunnel between the hub and Spoke A and I can see it come up. I've created it with the following

Hub

inside 10.19.1.0

remote 10.1.1.0




Spoke A

inside 10.1.1.0

remote 10.19.1.0




Then I created on Spoke A

object network Test_PC_Nat_IP
host 10.1.1.10
object network Test_PC
host 192.168.1.10




And a NAT rule

nat (Inside,outside) source static Test_PC_Nat_IP Test_PC_Nat_IP destination static H_Int_Network H_Int_Network net-to-net

Where have I gone wrong? I can see a ping come across the VPN, but no response. It will sometimes show "routing failed to locate the next hop for ICMP from outside:10.19.1.5/1 to Inside:10.1.1.10/0

Thank you!

Georg Pauwen · ‎01-12-2022

Hello,

--> I created a site to site vpn and it's working.

Can you post the full configs of both ASAs ?

View solution in original post

rmfalconer · ‎01-11-2022

Looks like your nat statement needs to change and have the real source and the nat source instead of nat and nat.

nat (Inside,outside) source static Test_PC Test_PC_Nat_IP destination static H_Int_Network H_Int_Network net-to-net

jkay18041 · ‎01-11-2022

I ended up doing this

nat (inside,outside) source static obj-192.168.1.0 obj-10.1.1.0 destination static REMOTE-NET REMOTE-NET

I am able to now get to the pc at the hub from the spoke. However if I try to go from the hub to the spoke it doesn't work because I need a NAT rule to translate the real ip to the nat IP.

Would you NAT statement above do that? Let's say I have 1 device on the spoke I need to do this for, I'm guessing you would use a rule like yours above, but If I need to do this for multiple computers/devices at the hub I would do the rule I put above in this post, then a rule like you used for each device?

Thank you for your assistance.

jkay18041 · ‎01-12-2022

So as of right now I am just using the nat rule of

nat (inside,outside) source static obj-192.168.1.0 obj-10.1.1.0 destination static REMOTE-NET REMOTE-NET

and somehow it's working where from 10.19.1.5 I can ping 10.1.1.10. As far as I can see there is nothing telling the firewall that 10.1.1.10 is the NAT ip of 192.168.1.10

So my question is how would this work if nothing is configured for object nat?

Thanks

Georg Pauwen · ‎01-12-2022

Hello,

what are you trying to accomplish ? Build an IKEv2 site to site VPN ?

--> nat (inside,outside) source static obj-192.168.1.0 obj-10.1.1.0 destination static REMOTE-NET REMOTE-NET

has nothing to do with a NAT exemption for VPN. In addition, you need a lot more than just that one NAT statement.

jkay18041 · ‎01-12-2022

I created a site to site vpn and it's working. Everything seems to be working as I want, but I have no idea why or how the NAT is working unless by default the nat rule

nat (inside,outside) source static obj-192.168.1.0 obj-10.1.1.0 destination static REMOTE-NET REMOTE-NET

means that it maps the IP 10.1.1.1 to 192.168.1.1 automatically basically using the last octet to map?

Georg Pauwen · ‎01-12-2022

Hello,

--> I created a site to site vpn and it's working.

Can you post the full configs of both ASAs ?

jkay18041 · ‎01-13-2022

Here is the config of the spoke.

The hub just has a site to site vpn with no special nat rules, I have the VPN set to exempt NAT on the vpn.

interface GigabitEthernet0/0
description WAN
speed 100
duplex full
nameif outside
security-level 0
ip address 5.5.5.146 255.255.255.240
!
interface GigabitEthernet0/1
description Inside
nameif Inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
!
boot system disk0:/asa9-12-3-12-smp-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
object network Inside_NAT
subnet 192.168.1.0 255.255.255.0
object network Gateway
host 5.5.5.158
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Test
subnet 192.168.165.0 255.255.255.0
object network H_Int_Network
subnet 10.19.1.0 255.255.255.0
object network Test_Laptop_natted
host 192.168.1.14
object network Inside_XLATE
subnet 192.168.165.0 255.255.255.0
object network 10.1.1.0_24
subnet 10.1.1.0 255.255.255.0
object network H_IFC
subnet 10.19.1.0 255.255.255.0
object network Test_PC_Nat_IP
host 10.1.1.11
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network REMOTE-NET
subnet 10.19.1.0 255.255.255.0
object network Test_Server
host 192.168.1.11
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list Inside_access_in extended deny udp any any eq tftp
access-list Inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object 10.1.1.0_24 object H_Int_Network
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu Test 1500
ip verify reverse-path interface outside
ip verify reverse-path interface Inside
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Inside,outside) source static obj-192.168.1.0 obj-10.1.1.0 destination static H_Int_Network H_Int_Network
!
object network Inside_NAT
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
route outside 0.0.0.0 0.0.0.0 5.5.5.158 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 5.5.5.5 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 5.5.5.97
crypto map outside_map 1 set ikev2 ipsec-proposal AES-256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha512 sha384 sha256
group 21 20 19 24
prf sha512 sha384 sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh cipher encryption high
ssh key-exchange group dh-group14-sha1
ssh 5.5.5.5 255.255.255.255 outside
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 Inside
dhcpd dns 8.8.8.8 9.9.9.9 interface Inside
dhcpd lease 864000 interface Inside
dhcpd domain POS.local interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl dh-group group24
ssl ecdh-group group20
group-policy GroupPolicy_5.5.5.97 internal
group-policy GroupPolicy_5.5.5.97 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 5.5.5.97 type ipsec-l2l
tunnel-group 5.5.5.97 general-attributes
default-group-policy GroupPolicy_5.5.5.97
tunnel-group 5.5.5.97 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect snmp
class global-class
police input 100000000 50000
police output 100000000 50000
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
!
jumbo-frame reservation
!