05-03-2013 01:20 PM
Hi,
I found very strange issue regarding L2L IPSec VPN tunnel.
on ASA 5510 I have Site to Site Tunnels created for many clients and they all are working fine.
Now for new client I am creating VPN tunnel and as soon as I add nonat statement, I see that I have no connection to ASA 5510 and Internet also disconnects for every one,
I have to wait to 30 seconds then Internet comes up and Everything works fine but I see nonat stement is not added.
sh run nat
nat (INSIDE-VL10) 0 access-list INSIDE_NAT0
nat (INSIDE-VL10) 1 10.7.10.0 255.255.255.0
nat (INSIDE-VL15) 0 access-list INSIDE_NAT0
nat (INSIDE-VL15) 1 10.7.15.0 255.255.255.0
nat (INSIDE-VL5) 0 access-list INSIDE_NAT0
nat (INSIDE-VL5) 1 10.7.5.0 255.255.255.0
nat (INSIDE-VL25) 0 access-list INSIDE_NAT0
nat (INSIDE-VL25) 1 10.7.25.0 255.255.255.0
sh run access-list INSIDE_NAT0
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT1_LAN
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT11_LAN
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-SF object-group ABC_LAN-NET
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-NET object-group ABC_LAN-SF
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-ML object-group ABC_LAN-NET
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-NET object-group ABC_LAN-ML
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT2_LAN
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-NET object-group ABC_LAN_RVPN-ADMIN
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT3_LAN
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-SS object-group CLIENT4_LAN
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-SS object-group CLIENT5_LAN
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN object-group CLIENT6_LAN
########################New Config
object-group network NEWCLIENT_LAN
network-object 10.34.123.184 255.255.255.252
network-object 10.34.185.224 255.255.255.248
network-object 10.45.103.192 255.255.255.192
access-list INSIDE_NAT0 extended permit ip object-group ABC_LAN-SS object-group NEWCLIENT_LAN
access-list VPN_ABC-NEWCLIENT extended permit ip object-group ABC_LAN-SS object-group NEWCLIENT_LAN
access-list VPN-FILTER_NEWCLIENT-ABC extended permit ip object-group NEWCLIENT_LAN object-group ABC_LAN-SS
crypto map outside_map0 25 match address VPN_ABC-NEWCLIENT
crypto map outside_map0 25 set pfs
crypto map outside_map0 25 set peer 6.6.6.6
crypto map outside_map0 25 set transform-set ESP-AES-256-SHA
crypto map outside_map0 25 set security-association lifetime seconds 28800
group-policy VPNGP_ABC-NEWCLIENT internal
group-policy VPNGP_ABC-NEWCLIENT attributes
vpn-filter value VPN-FILTER_NEWCLIENT-ABC
tunnel-group 6.6.6.6 type ipsec-l2l
tunnel-group 6.6.6.6 general-attributes
default-group-policy VPNGP_ABC-NEWCLIENT
tunnel-group 6.6.6.6 ipsec-attributes
pre-shared-key fdfsf
isakmp keepalive threshold 30 retry 5
route OUTSIDE 10.34.123.184 255.255.255.252 183.82.0.1 1
route OUTSIDE 10.34.185.224 255.255.255.248 183.82.0.1 1
route OUTSIDE 10.45.103.192 255.255.255.192 183.82.0.1 1
Solved! Go to Solution.
05-03-2013 01:25 PM
Hi,
So you say you add the command which in turn causes about 30sec outage to all network connections and the management connection to the ASA itself. And after you recover the management connection, you see that the ASA has not added the NAT0 statement/configuration to the ASA?
If this is true then I have not run into this before.
Though the first thing that hits my eye is that you are sharing a single ACL for all the interfaces NAT0 configurations.
I would suggest creating separate ACL for each interface on the ASA and using that separate ACL on each interface "nat (nameif) 0 access-list
- Jouni
05-03-2013 01:25 PM
Hi,
So you say you add the command which in turn causes about 30sec outage to all network connections and the management connection to the ASA itself. And after you recover the management connection, you see that the ASA has not added the NAT0 statement/configuration to the ASA?
If this is true then I have not run into this before.
Though the first thing that hits my eye is that you are sharing a single ACL for all the interfaces NAT0 configurations.
I would suggest creating separate ACL for each interface on the ASA and using that separate ACL on each interface "nat (nameif) 0 access-list
- Jouni
05-03-2013 01:52 PM
Hi Jouni,
Thats correct, I am facing this issue.
reg"nat (nameif) 0 access-list
05-03-2013 01:54 PM
but How does this make a difference as all Traffic goes for NAT0
05-03-2013 01:56 PM
Hi,
Yes, I understand that doing this change would naturally affect the existing connections.
I can't be sure that this would change though. Though I would still suggest at some point considering configuring ACL for each interfaces NAT0 separately.
I would have expected that if only the Internet traffic would have been affected that it might have been possible that "any" parameter would have been used in the NAT0 ACL. But as you say this affects even the ASA management connection it would not seem likely.
On the basis of the configurations you have shown us I can just guess that the problem might be with the NAT0 configurations sharing the same ACL. Atleast this is highly unusual way of configuring NAT0 from my perspective.
- Jouni
05-03-2013 02:15 PM
Okay,
in that case, Can I use same ACL for different interfaces ?
05-03-2013 02:18 PM
Hi,
As I said, I would personally make a separate ACL for each interfaces NAT0 configurations and not use the single ACL for each interface.
I dont know if this would make any difference to your problem. I have not faced the problem you are facing.
Maybe it might even be some resource related problem depending the amount of configurations you have on the ASA.
- Jouni
05-03-2013 03:08 PM
Thanks Jouni,
It works for me,
I think ACLs on this time ACL was taken and no disconnectivity (for both ASA and Internet)
now Tunnel is not up but I think I can take care for this
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide