02-13-2018 07:07 AM - edited 03-12-2019 05:01 AM
Hello,
I'm trying to set up a VPN that maps all internal subnets to a single private IP for a remote hosted application. I'm on an ASA 5585X running 9.4.(4)16 and need some configuration assistance.
object network AppVendor-Network
host 192.168.10.75
object network PAT-to-AppVendor
host 10.250.2.11
access-list AppVendor-l2l extended permit ip any4 object-group AppVendor-Network
nat (inside,outside) source dynamic any PAT-to-AppVendor destination static AppVendor-Network AppVendor-Network
crypto map outside_map 220 match address AppVendor-l2l
crypto map outside_map 220 set peer AppVendor-l2l-peer
crypto map outside_map 220 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 220 set pfs group5
Any assistance would be greatly appreciated.
02-14-2018 07:33 AM
Hello @drakow,
Can you try the packet-tracer in order to see if the traffic goes through the VPN tunnel?
packet-tracer input inside icmp <inside host> 8 0 192.168.10.75 detail
HTH
Gio
02-14-2018 08:00 AM - edited 02-14-2018 08:01 AM
I did that and when I initiate a constant ping it creates an SA.
I did a packet capture and the packets are not leaving the outside interface.
I don't think the dynamic PAT is working, I must be missing something.
Crypto map tag: outside_map, seq num: 220, local addr: x.x.x.x
access-list AppVendor-l2l extended permit ip host 10.250.2.11 host 192.168.10.75
local ident (addr/mask/prot/port): (10.250.2.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.10.75/255.255.255.255/0/0)
current_peer: AppVendor-l2l-peer
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: AppVendor-l2l-peer/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C8213C95
current inbound spi : E4EE134B
inbound esp sas:
spi: 0xE4EE134B (3840807755)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1179648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28789)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC8213C95 (3357621397)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1179648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/28789)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
02-14-2018 08:22 AM
02-14-2018 10:28 AM
packet-tracer input inside icmp 10.70.128.87 8 0 192.168.10.75
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffc8874f90, priority=1, domain=permit, deny=false
hits=161625351, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source dynamic any PAT-to-AppVendor destination static AppVendor-Network AppVendor-Network
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.75/0 to 192.168.10.75/0
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any PAT-to-AppVendor destination static AppVendor-Network AppVendor-Network
Additional Information:
Dynamic translate 10.70.128.87/0 to 10.250.2.11/29955
Forward Flow based lookup yields rule:
in id=0x7fffbd2867a0, priority=6, domain=nat, deny=false
hits=1722, user_data=0x7fffc8d8f3d0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=192.168.10.75, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffbcf26050, priority=0, domain=nat-per-session, deny=true
hits=1146625271, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffc887ce50, priority=0, domain=inspect-ip-options, deny=true
hits=2969856, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffc887c700, priority=66, domain=inspect-icmp-error, deny=false
hits=525568, user_data=0x7fffc41eb970, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffc91cb1c0, priority=70, domain=encrypt, deny=false
hits=1723, user_data=0x0, cs_id=0x7fffbd7416b0, reverse, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=192.168.10.75, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-14-2018 12:39 PM
Hello @drakow,
By any chance, do you have the config from the other side in order to check the ACL? On yours, you have ANY to the IP on the other side and I don´t know if the peer has it that way.
Another thing, you need to run the packet-tracer command twice since the first one is always dropped because it is triggering the VPN tunnel.
HTH
Gio
02-19-2018 12:35 PM
I didn't run packet tracer twice, thanks for reminding me!
Ran the second time with an active SA and result was allow.
They finally put me in touch with their VPN engineer and he did not understand that we were using PAT. They opened up their side and the VPN is up. Thanks for your help as this was my first PAT configuration post v8.2.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: