Re: How to NAT Client VPN to Site-to-Site vpn? - Page 4

gray25251 · ‎01-18-2013

I have a site-to-site vpn connection to a remote client site that can be accessed from the servers in the following access list

access-list MATCHJLS extended permit ip 78.129.xxx.0 255.255.255.128 object-group DM_INLINE_NETWORK_1

object-group network DM_INLINE_NETWORK_1
 network-object host 172.19.60.52
 network-object host 172.19.60.53
 network-object host 172.19.60.68
 network-object host 172.19.60.69
 network-object host 172.19.60.84
 network-object host 172.19.60.85
 network-object host 172.19.60.86

I would also like 10.1.1.0/24 and 10.255.255.0/24 to access the remote site but the admin onsite says that NAT

should be used with the existing access and they won't add the additional rules due to a possible ip conflict.

I'm not sure how to do this. Any advice would be much appreciated.

Michal Garcarz · ‎01-19-2013

OK.

1. First try to upgrade, it might solve the problem

2. If upgrade will not fix it, please send me back results for both tests:

packet-tracer input inside icmp 10.1.1.10 8 0 172.19.60.52 det

packet-tracer input inside icmp 10.255.255.10 8 0 172.19.60.52 det

And some more details:

sh asp table classify crypto

sh asp table vpn-context detail

sh asp drop

But first test newer version of software.

--

Michal

gray25251 · ‎01-22-2013

Router is now running asa825-33-k8.bin. No change unfortunately. I ran the commands as requested -

Result of the command: "packet-tracer input inside icmp 10.1.1.10 8 0 172.19.60.52 det"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab87b088, priority=1, domain=permit, deny=false

hits=5873, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 Outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group allow in interface Inside

access-list allow extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8da840, priority=12, domain=permit, deny=false

hits=358, user_data=0xa8acab80, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab87da98, priority=0, domain=inspect-ip-options, deny=true

hits=475, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab87d710, priority=66, domain=inspect-icmp-error, deny=false

hits=19, user_data=0xab87d5f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 11 access-list policy-nat

match ip Inside 10.1.1.0 255.255.255.0 Outside host 172.19.60.52

dynamic translation to pool 11 (78.129.151.105)

translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 10.1.1.10/0 to 78.129.151.105/31664 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in id=0xab8ae3f0, priority=2, domain=nat, deny=false

hits=1, user_data=0xab8ae330, cs_id=0x0, flags=0x0, protocol=0

src ip=10.1.1.0, mask=255.255.255.0, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 11 access-list policy-nat

match ip Inside 10.1.1.0 255.255.255.0 Outside host 172.19.60.52

dynamic translation to pool 11 (78.129.151.105)

translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8ae520, priority=2, domain=host, deny=false

hits=162, user_data=0xab8ae330, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.1.1.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xabf64438, priority=70, domain=encrypt, deny=false

hits=1, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Result of the command: "packet-tracer input inside icmp 10.255.255.10 8 0 172.19.60.52 det"

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 Outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group allow in interface Inside

access-list allow extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8da840, priority=12, domain=permit, deny=false

hits=359, user_data=0xa8acab80, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab87da98, priority=0, domain=inspect-ip-options, deny=true

hits=476, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab87d710, priority=66, domain=inspect-icmp-error, deny=false

hits=20, user_data=0xab87d5f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 10 access-list policy-nat-two

match ip Inside 10.255.255.0 255.255.255.0 Outside host 172.19.60.52

dynamic translation to pool 10 (78.129.151.106)

translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 10.255.255.10/0 to 78.129.151.106/25111 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in id=0xab8cd310, priority=2, domain=nat, deny=false

hits=1, user_data=0xab8cd250, cs_id=0x0, flags=0x0, protocol=0

src ip=10.255.255.0, mask=255.255.255.0, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 10 access-list policy-nat-two

match ip Inside 10.255.255.0 255.255.255.0 Outside host 172.19.60.52

dynamic translation to pool 10 (78.129.151.106)

translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab8cd668, priority=2, domain=host, deny=false

hits=2, user_data=0xab8cd250, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.255.255.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xabf64438, priority=70, domain=encrypt, deny=false

hits=2, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Result of the command: "sh asp table classify crypto"

Interface Inside:

Interface Outside:

in id=0xa7aae2d8, priority=70, domain=decrypt, deny=false

hits=2, user_data=0x5124, cs_id=0x0, reverse, flags=0x0, protocol=50

src ip=212.118.128.233, mask=255.255.255.255, port=51829

dst ip=87.117.213.66, mask=255.255.255.255, port=1576, dscp=0x0

in id=0xac447cc0, priority=70, domain=decrypt, deny=false

hits=1, user_data=0x89bc, cs_id=0x0, reverse, flags=0x0, protocol=17

src ip=37.19.98.120, mask=255.255.255.255, port=49259

dst ip=87.117.213.66, mask=255.255.255.255, port=4500, dscp=0x0

in id=0xac4583c0, priority=70, domain=decrypt, deny=false

hits=1, user_data=0xd014, cs_id=0x0, reverse, flags=0x0, protocol=17

src ip=46.242.71.196, mask=255.255.255.255, port=52470

dst ip=87.117.213.66, mask=255.255.255.255, port=4500, dscp=0x0

in id=0xac45a348, priority=70, domain=decrypt, deny=false

hits=3, user_data=0x11a2c, cs_id=0x0, reverse, flags=0x0, protocol=50

src ip=212.118.128.233, mask=255.255.255.255, port=37242

dst ip=87.117.213.66, mask=255.255.255.255, port=50445, dscp=0x0

in id=0xa7aae010, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=2, user_data=0x5124, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=212.118.157.213, mask=255.255.255.255, port=0

dst ip=78.129.151.26, mask=255.255.255.255, port=0, dscp=0x0

in id=0xac447c28, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=41, user_data=0x89bc, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.255.255.1, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

in id=0xac458328, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=33, user_data=0xd014, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.255.255.2, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

in id=0xac45a2b0, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=1, user_data=0x11a2c, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=212.118.157.205, mask=255.255.255.255, port=0

dst ip=78.129.151.26, mask=255.255.255.255, port=0, dscp=0x0

in id=0xac19c1c8, priority=12, domain=ipsec-natt, deny=false

hits=4, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=17

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=87.117.213.66, mask=255.255.255.255, port=4500, dscp=0x0

in id=0xab79fd58, priority=12, domain=ipsec-tunnel-flow, deny=true

hits=98, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

in id=0xac19cc28, priority=12, domain=ipsec-tunnel-flow, deny=true

hits=0, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=::/0, port=0

dst ip=::/0, port=0

out id=0xab83e660, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0

out id=0xabf64438, priority=70, domain=encrypt, deny=false

hits=2, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.52, mask=255.255.255.255, port=0, dscp=0x0

out id=0xabf64730, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.53, mask=255.255.255.255, port=0, dscp=0x0

out id=0xabf64a28, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.68, mask=255.255.255.255, port=0, dscp=0x0

out id=0xabf64d20, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.69, mask=255.255.255.255, port=0, dscp=0x0

out id=0xabf65018, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.84, mask=255.255.255.255, port=0, dscp=0x0

out id=0xabf65310, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.85, mask=255.255.255.255, port=0, dscp=0x0

out id=0xabf65608, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab894da8, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.128, port=0

dst ip=172.19.60.86, mask=255.255.255.255, port=0, dscp=0x0

out id=0xac17bd80, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab895290, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0

out id=0xac17c0e0, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab895290, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.224, port=0

dst ip=10.180.9.121, mask=255.255.255.255, port=0, dscp=0x0

out id=0xac17c3d8, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab895290, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.224, port=0

dst ip=10.180.9.120, mask=255.255.255.255, port=0, dscp=0x0

out id=0xac17c6d0, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab895290, reverse, flags=0x0, protocol=0

src ip=78.129.151.0, mask=255.255.255.224, port=0

dst ip=10.180.9.221, mask=255.255.255.255, port=0, dscp=0x0

out id=0xac17c9c8, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=255.255.255.255, port=0, dscp=0x0

out id=0xac17cd28, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x0, cs_id=0xab83d8b8, reverse, flags=0x0, protocol=0