11-13-2012 08:18 PM - edited 03-04-2019 06:08 PM
Hi guys,
I have estabilished a site-to-site VPN. The config is as follows: 192.168.32.0/24 (SITE A) >--> 192.168.30.0/24 (SITE B)
Site B has 192.168.30.1 as outside address of the ASA firewall. On the other peer of the cable I have a Debian server (192.168.31.2) that re-routes the packets from/to the internal network (192.168.31.0/24). All the packets arriving to the ASA from the internal network appear as 192.168.31.2 (the ip of the debian server).
When VPN is estabilished, from the Site A I can ping the debian server installed on the Site B correctly.
If I try to ping any server on the site B from the Debian server, the ping works correctly.
When I try to ping any host of the internal network of the site B behind the debian from the site A, I get the following message:
"Teardown ICMP connection for faddr 192.168.31.11/0 gaddr 192.168.32.10/1 laddr 192.168.32.10/1".
Any idea why this happens? I mapped both the networks (192.168.30.0/24 and 192.168.31.24) when I created the VPNs tunnel using the wizard.
Thanks,
Dario
SITEA Configuration:
object-group network DM_INLINE_NETWORK_1
network-object object SITE-B-DEBIAN-SUBNET
network-object object SITE-B-INTERNAL-NETWORK
access-list outside_cryptomap extended permit ip object SITE-A-INTERNAL-NETWORK object-group DM_INLINE_NETWORK_1
nat (inside,outside) source static SITE-A-INTERNAL-NETWORK SITE-A-INTERNAL-NETWORK destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
!
object network SITE-A-INTERNAL-NETWORK
nat (inside,outside) dynamic interface
object network obj_any
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_XXXXXXXX internal
group-policy GroupPolicy_XXXXXXXX attributes
vpn-tunnel-protocol ikev2
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX general-attributes
default-group-policy GroupPolicy_XXXXXXXX
tunnel-group XXXXXXXX ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
===============
SITEB CONFIGURATION
object network SITE-B-INTERNAL-NETWORK
subnet 192.168.31.0 255.255.255.0
object network SITE-A-INTERNAL-NETWORK
subnet 192.168.32.0 255.255.255.0
object network SITE-B-DEBIAN-SUBNET
subnet 192.168.30.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object SITE-B-EXTERNAL-IP
network-object object SITE-B-VPN-SERVER
object-group network DM_INLINE_NETWORK_2
network-object object SITE-B-DEBIAN-SUBNET
network-object object SITE-B-INTERNAL-NETWORK
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object SITE-A-INTERNAL-NETWORK
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static SITE-A-INTERNAL-NETWORK SITE-A-INTERNAL-NETWORK no-proxy-arp route-lookup
!
route inside 192.168.31.0 255.255.255.0 192.168.30.2 1
group-policy GroupPolicy_YYYYYYYYYYYYYYYYY internal
group-policy GroupPolicy_YYYYYYYYYYYYYYYYY attributes
vpn-tunnel-protocol ikev2
tunnel-group YYYYYYYYYYYYYYYYY type ipsec-l2l
tunnel-group YYYYYYYYYYYYYYYYY general-attributes
default-group-policy GroupPolicy_YYYYYYYYYYYYYYYYY
tunnel-group YYYYYYYYYYYYYYYYY ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
Solved! Go to Solution.
 
					
				
		
11-14-2012 03:05 AM
In that case, you would need to remove all the crypto map and disable isakmp configuration from the ASA.
That port is already reserved on the ASA outside interface because you have those VPN tunnel configured earlier.
no crypto isakmp enable outside
 
					
				
		
11-13-2012 11:01 PM
Apology, I am a little confused.
This statement: Site B has 192.168.30.1 as outside address of the ASA firewall.
Do you mean: as inside address of the ASA?
So the Debian server is actually behind the ASA?
Internet -- (outside) ASA (inside) - Debian server
Is this how they are connected?
Is the Debian server NATing everything from internal to its address? (if that is the case, then you won't be able to access the server from site A, because you have PAT it to the Debian server IP address).
11-13-2012 11:09 PM
Hi Jennifer,
Your statement is correct: the Debian server is behind the ASA (SiteB) and and it is NATing all the traffic coming from the LAN.
Thanks for your reply,
Dario
11-14-2012 12:08 AM
Hi Jennifer,
As plan B I have been asked to estabilish a site-to-site VPN between the SITE-A ASA and an internal IPSEC VPN server (Microsoft). When I try to type the following commands, IOS returns "ERROR: NAT unable to reserve ports."
object network SITEB-VPN-SERVER-IPSEC
nat (inside,outside) static interface service udp 4500 4500
When I try to reserve any other port, it works perfectly. I have already enabled the "inspect ipsec-pass-thru" but with no luck.
Any idea?
Thanks,
Dario
 
					
				
		
11-14-2012 03:05 AM
In that case, you would need to remove all the crypto map and disable isakmp configuration from the ASA.
That port is already reserved on the ASA outside interface because you have those VPN tunnel configured earlier.
no crypto isakmp enable outside
11-14-2012 06:22 PM
Hi Jennifer.
Due to time constraints we bought the UL license pack and removed the Debian server so I cannot verify if your solution works.
Yesterday I tried to remove the VPN definition without typing your last command and that is probably what I missed to do.
Thanks anyway,
Dario
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide