Re: second vpn subnet between asa 5515 and meraki mx64 - Page 2

jkay18041 · ‎10-18-2019

I currently have a vpn connection setup between an ASA 5515 and a Meraki MX64, works great. However I've got a new subnet behind the asa that I want to put over the vpn. I added it to the local subnet on the ASA and the remote subnet on the Meraki. It won't work on that subnet. When I do a packet-tracer from the new subnet to the meraki it says "nat-xlate failed"

The new subnet is natted to a different public IP, not sure if that matters. Here is my config for the ASA

interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 5.2.201.65 255.255.255.224 standby 5.2.201.66
!
interface GigabitEthernet0/1
description Part of Port-Channel16
channel-group 16 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Part of Port-Channel16
channel-group 16 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description Connection between ASA's
nameif To_5516
security-level 10
ip address 192.168.95.1 255.255.255.248 standby 192.168.95.3
!
interface Management0/0
description STATE Failover Interface
management-only
!
interface Port-channel16
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel16.16
description Inside
vlan 16
nameif inside
security-level 100
ip address 10.16.1.251 255.255.255.0 standby 10.16.1.252
!
interface Port-channel16.18
description Interfaces Vlan
vlan 18
nameif Interfaces
security-level 80
ip address 10.18.1.251 255.255.255.0

object network Inside_10.16.1.0
subnet 10.16.1.0 255.255.255.0
description inside network
object network inside
subnet 10.16.1.0 255.255.255.0
description Inside network 10.16.1.0
object network issue_city_Bellevue
subnet 10.211.41.0 255.255.255.0
description issue_city House Bellevue BOH
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object tcp-udp destination eq domain
object-group network SNMP_Collectors
description SNMP Collectors
network-object object Cacti
network-object object Obersvium
object-group network DM_INLINE_NETWORK_1
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_2
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_3
network-object object Inside_10.16.1.0
network-object object Interfaces
object-group network DM_INLINE_NETWORK_4
network-object 10.16.1.0 255.255.255.0
network-object 10.18.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 10.16.1.0 255.255.255.0
network-object object Interfaces
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_8 object-group DM_INLINE_NETWORK_5 object issue_city_Bellevue
access-list Interfaces_access_in extended permit ip any any
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static issue_city_Bellevue issue_city_Bellevue no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static issue_city_Redmond issue_city_Redmond no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static issue_city_Bellevue issue_city_Bellevue no-proxy-arp route-lookup
!
object network inside
nat (inside,outside) dynamic interface
object network Interfaces
nat (Interfaces,outside) dynamic Interface_Public_IP
access-group outside_access_in in interface outside
access-group To_5516_access_in in interface To_5516
access-group inside_access_in in interface inside
access-group Interfaces_access_in in interface Interfaces
route outside 0.0.0.0 0.0.0.0 5.2.201.94 1
route To_5516 10.15.2.0 255.255.255.0 192.168.95.2 1
route To_5516 10.15.33.0 255.255.255.0 192.168.95.2 1
route To_5516 10.45.46.0 255.255.255.192 192.168.95.2 1
route To_5516 10.245.245.0 255.255.255.0 192.168.95.2 1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 4 match address outside_cryptomap_1
crypto map outside_map 4 set peer 5.23.31.194
crypto map outside_map 4 set ikev1 transform-set AES-256 ESP-AES-256-SHA
group-policy GroupPolicy_5.23.31.194 internal
group-policy GroupPolicy_5.23.31.194 attributes
vpn-tunnel-protocol ikev1
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username company_name password ***** encrypted privilege 15
tunnel-group 5.23.31.194 type ipsec-l2l
tunnel-group 5.23.31.194 general-attributes
default-group-policy GroupPolicy_5.23.31.194
tunnel-group 5.23.31.194 ipsec-attributes

Any advice?

Thanks

jkay18041 · ‎10-23-2019

Basically in the Meraki portal page it just allows you to configure the site to site vpn. It ask which subnets need to traverse the VPN and I put in the 10.16.1.0 and 10.18.1.0 subnets.

There isn't much to configure on it as it's basic

When I do a packet tracer on the ASA I get a NAT translation error.

jkay18041 · ‎10-23-2019

Meraki looked at the ASA config as well and thinks it looks ok.

They are suggesting this.

put a 10.16.0.0/14 subnet for the local network and to do the same on the Meraki on the remote network.

What do you think about that? I haven't done it yet as it would bring down our other VPN tunnels at least for 30 seconds or so. I'm planning on testing it tomorrow with a spare Meraki.

Thanks again