cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
953
Views
5
Helpful
6
Replies

L2L VPN with PAT Configuration

drakow
Level 1
Level 1

Hello,

 

I'm trying to set up a VPN that maps all internal subnets to a single private IP for a remote hosted application. I'm on an ASA 5585X running 9.4.(4)16 and need some configuration assistance.

 

object network AppVendor-Network
  host 192.168.10.75

object network PAT-to-AppVendor
  host 10.250.2.11

access-list AppVendor-l2l extended permit ip any4 object-group AppVendor-Network

nat (inside,outside) source dynamic any PAT-to-AppVendor destination static AppVendor-Network AppVendor-Network

crypto map outside_map 220 match address AppVendor-l2l
crypto map outside_map 220 set peer AppVendor-l2l-peer
crypto map outside_map 220 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 220 set pfs group5

 

Any assistance would be greatly appreciated.

6 Replies 6

GioGonza
Level 4
Level 4

Hello @drakow

 

Can you try the packet-tracer in order to see if the traffic goes through the VPN tunnel?

 

packet-tracer input inside icmp <inside host> 8 0 192.168.10.75 detail

 

HTH

Gio

I did that and when I initiate a constant ping it creates an SA.

I did a packet capture and the packets are not leaving the outside interface.

I don't think the dynamic PAT is working, I must be missing something.

 

Crypto map tag: outside_map, seq num: 220, local addr: x.x.x.x

access-list AppVendor-l2l extended permit ip host 10.250.2.11 host 192.168.10.75
local ident (addr/mask/prot/port): (10.250.2.11/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.10.75/255.255.255.255/0/0)
current_peer: AppVendor-l2l-peer


#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.x/0, remote crypto endpt.: AppVendor-l2l-peer/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C8213C95
current inbound spi : E4EE134B

inbound esp sas:
spi: 0xE4EE134B (3840807755)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1179648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28789)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC8213C95 (3357621397)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1179648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/28789)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Hello @drakow

 

Can you share the output for the packet-tracer?

 

Gio

packet-tracer input inside icmp 10.70.128.87 8 0 192.168.10.75

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffc8874f90, priority=1, domain=permit, deny=false
hits=161625351, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source dynamic any PAT-to-AppVendor destination static AppVendor-Network AppVendor-Network
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.75/0 to 192.168.10.75/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any PAT-to-AppVendor destination static AppVendor-Network AppVendor-Network
Additional Information:
Dynamic translate 10.70.128.87/0 to 10.250.2.11/29955
Forward Flow based lookup yields rule:
in id=0x7fffbd2867a0, priority=6, domain=nat, deny=false
hits=1722, user_data=0x7fffc8d8f3d0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=192.168.10.75, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffbcf26050, priority=0, domain=nat-per-session, deny=true
hits=1146625271, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffc887ce50, priority=0, domain=inspect-ip-options, deny=true
hits=2969856, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffc887c700, priority=66, domain=inspect-icmp-error, deny=false
hits=525568, user_data=0x7fffc41eb970, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffc91cb1c0, priority=70, domain=encrypt, deny=false
hits=1723, user_data=0x0, cs_id=0x7fffbd7416b0, reverse, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=192.168.10.75, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hello @drakow

 

By any chance, do you have the config from the other side in order to check the ACL? On yours, you have ANY to the IP on the other side and I don´t know if the peer has it that way. 

 

Another thing, you need to run the packet-tracer command twice since the first one is always dropped because it is triggering the VPN tunnel. 

 

HTH

Gio

I didn't run packet tracer twice, thanks for reminding me!

Ran the second time with an active SA and result was allow.

They finally put me in touch with their VPN engineer and he did not understand that we were using PAT. They opened up their side and the VPN is up. Thanks for your help as this was my first PAT configuration post v8.2.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: