Solved: VPN behind NAT

Dario Francesco Vanin · ‎11-13-2012

Hi guys,

I have estabilished a site-to-site VPN. The config is as follows: 192.168.32.0/24 (SITE A) >--> 192.168.30.0/24 (SITE B)

Site B has 192.168.30.1 as outside address of the ASA firewall. On the other peer of the cable I have a Debian server (192.168.31.2) that re-routes the packets from/to the internal network (192.168.31.0/24). All the packets arriving to the ASA from the internal network appear as 192.168.31.2 (the ip of the debian server).

When VPN is estabilished, from the Site A I can ping the debian server installed on the Site B correctly.

If I try to ping any server on the site B from the Debian server, the ping works correctly.

When I try to ping any host of the internal network of the site B behind the debian from the site A, I get the following message:

"Teardown ICMP connection for faddr 192.168.31.11/0 gaddr 192.168.32.10/1 laddr 192.168.32.10/1".

Any idea why this happens? I mapped both the networks (192.168.30.0/24 and 192.168.31.24) when I created the VPNs tunnel using the wizard.

Thanks,

Dario

SITEA Configuration:

object-group network DM_INLINE_NETWORK_1

network-object object SITE-B-DEBIAN-SUBNET

network-object object SITE-B-INTERNAL-NETWORK

access-list outside_cryptomap extended permit ip object SITE-A-INTERNAL-NETWORK object-group DM_INLINE_NETWORK_1

nat (inside,outside) source static SITE-A-INTERNAL-NETWORK SITE-A-INTERNAL-NETWORK destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup

!

object network SITE-A-INTERNAL-NETWORK

nat (inside,outside) dynamic interface

object network obj_any

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_XXXXXXXX internal

group-policy GroupPolicy_XXXXXXXX attributes

vpn-tunnel-protocol ikev2

tunnel-group XXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXX general-attributes

default-group-policy GroupPolicy_XXXXXXXX

tunnel-group XXXXXXXX ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

===============

SITEB CONFIGURATION

object network SITE-B-INTERNAL-NETWORK

subnet 192.168.31.0 255.255.255.0

object network SITE-A-INTERNAL-NETWORK

subnet 192.168.32.0 255.255.255.0

object network SITE-B-DEBIAN-SUBNET

subnet 192.168.30.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object object SITE-B-EXTERNAL-IP

network-object object SITE-B-VPN-SERVER

object-group network DM_INLINE_NETWORK_2

network-object object SITE-B-DEBIAN-SUBNET

network-object object SITE-B-INTERNAL-NETWORK

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object SITE-A-INTERNAL-NETWORK

nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static SITE-A-INTERNAL-NETWORK SITE-A-INTERNAL-NETWORK no-proxy-arp route-lookup

!

route inside 192.168.31.0 255.255.255.0 192.168.30.2 1

group-policy GroupPolicy_YYYYYYYYYYYYYYYYY internal

group-policy GroupPolicy_YYYYYYYYYYYYYYYYY attributes

vpn-tunnel-protocol ikev2

tunnel-group YYYYYYYYYYYYYYYYY type ipsec-l2l

tunnel-group YYYYYYYYYYYYYYYYY general-attributes

default-group-policy GroupPolicy_YYYYYYYYYYYYYYYYY

tunnel-group YYYYYYYYYYYYYYYYY ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

Jennifer Halim · ‎11-14-2012

In that case, you would need to remove all the crypto map and disable isakmp configuration from the ASA.

That port is already reserved on the ASA outside interface because you have those VPN tunnel configured earlier.

no crypto isakmp enable outside

View solution in original post

Jennifer Halim · ‎11-13-2012

Apology, I am a little confused.

This statement: Site B has 192.168.30.1 as outside address of the ASA firewall.

Do you mean: as inside address of the ASA?

So the Debian server is actually behind the ASA?

Internet -- (outside) ASA (inside) - Debian server

Is this how they are connected?

Is the Debian server NATing everything from internal to its address? (if that is the case, then you won't be able to access the server from site A, because you have PAT it to the Debian server IP address).

Dario Francesco Vanin · ‎11-13-2012

Hi Jennifer,

Your statement is correct: the Debian server is behind the ASA (SiteB) and and it is NATing all the traffic coming from the LAN.

Thanks for your reply,

Dario

Dario Francesco Vanin · ‎11-14-2012

Hi Jennifer,

As plan B I have been asked to estabilish a site-to-site VPN between the SITE-A ASA and an internal IPSEC VPN server (Microsoft). When I try to type the following commands, IOS returns "ERROR: NAT unable to reserve ports."

object network SITEB-VPN-SERVER-IPSEC

nat (inside,outside) static interface service udp 4500 4500

When I try to reserve any other port, it works perfectly. I have already enabled the "inspect ipsec-pass-thru" but with no luck.

Any idea?

Thanks,

Dario

Jennifer Halim · ‎11-14-2012

In that case, you would need to remove all the crypto map and disable isakmp configuration from the ASA.

That port is already reserved on the ASA outside interface because you have those VPN tunnel configured earlier.

no crypto isakmp enable outside

Dario Francesco Vanin · ‎11-14-2012

Hi Jennifer.

Due to time constraints we bought the UL license pack and removed the Debian server so I cannot verify if your solution works.

Yesterday I tried to remove the VPN definition without typing your last command and that is probably what I missed to do.

Thanks anyway,

Dario

VPN behind NAT

[Q&A 集公開] 1/22 開催 Catalyst SD-WAN - Layer 2 VPN

ASA： 8.3 "NAT 例外" の例 - 基本 L2L VPN と基本 RA VPN

Static NAT の設定例

【原创】IPsec VPN中NAT-T技术简介

Catalyst SD-WAN : Generic SIGを用いたSecure AccessとのIPsec VPNの確立