ASA 5505 8.2.1 Site-to-Site VPN NAT problem

Matthew Schanke · ‎03-06-2013

Hi Everyone,

On one of our branch locations ASA, I have a L2L VPN setup. However, we are adding wireless to this remote location, and the AP's will talk back to the controller at HQ. The AP's are on the downstream L3 switch, and they have been placed on the mgmt network. It's definitely not ideal to have these AP's on the mgmt network, but for now that is how it is setup. From HQ (163.122.x.x) I can ping and reach the ASA (10.200.2.1, and the downstream L3 switch 10.200.2.100, but when I ping one of the AP's, I get timeouts and and the following error on the ASA:

%ASA-3-305005: No translation group found for icmp src outside:10.205.216.73 dst mgmt:10.200.2.152 (type 8, code 0)

At HQ, there is a VPN 3030 that the ASA's connect to. When sourcing from 163.122.x.x going to 10.200.2.x, the VPN 3030 NAT's 163.122.x.x to be 10.205.x.x. So, when it reaches the remote ASA, it shows up as 10.205.x.x.

It appears it's a NAT issue on the ASA, but I'm confused on what I need to change. Why can I ping the ASA and the switch from HQ, but not the AP's which reside on the same mgmt network? I don't really need it to NAT, just to pass the connections. I currently only have the following two NAT statements in the config. Also, we have another branch ASA, with the same NAT statements, with AP's on the mgmt network, and able to ping across with no errors.

nat (inside) 0 0.0.0.0 0.0.0.0

nat (mgmt) 0 0.0.0.0 0.0.0.0

The inside network is a public IP range, and the mgmt network is a private range that goes over the VPN back to HQ. On the ASA, any traffic destined for 10.205.x.x goes over the VPN.

Here's the general config.

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name something.com

enable password 1234 encrypted

passwd 1234 encrypted

names

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan5

description isp

nameif outside

security-level 0

ip address 198.109.*.* 255.255.255.248

!

interface Vlan10

description inside

nameif inside

security-level 100

ip address 198.109.*.* 255.255.255.0

!

interface Vlan500

description mgmt

nameif mgmt

security-level 100

ip address 10.200.2.1 255.255.255.0

!

interface Ethernet0/0

description isp

switchport access vlan 5

!

interface Ethernet0/1

description inside

switchport access vlan 10

!

interface Ethernet0/2

description mgmt

switchport access vlan 500

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.2

name-server 8.8.8.8

domain-name something.com

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging console errors

logging buffered debugging

logging trap errors

logging asdm informational

logging facility 17

logging host mgmt 10.205.2.17

logging host mgmt 10.205.2.201

logging class sys trap informational

logging class webvpn trap informational

mtu outside 1500

mtu inside 1500

mtu mgmt 1500

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any mgmt

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

nat-control

nat (inside) 0 0.0.0.0 0.0.0.0

nat (mgmt) 0 0.0.0.0 0.0.0.0

access-group OUTSIDE in interface outside

access-group INSIDE in interface inside

access-group MGMT in interface mgmt

route outside 0.0.0.0 0.0.0.0 198.109.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 0:03:00 inactivity

timeout tcp-proxy-reassembly 0:01:00

object-group network INSIDE_LAN

network-object 198.109.x.0 255.255.255.0

object-group network MGMT_LAN

network-object 10.200.2.0 255.255.255.0

object-group network MGMT_NAT

network-object 10.205.0.0 255.255.0.0

access-list MGMT-NAT extended permit ip object-group MGMT_LAN object-group MGMT_NAT

aaa-server TACACS (mgmt) host 10.205.2.246

key 1234

aaa-server TACACS (mgmt) host 10.205.2.247

key 1234

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication serial console TACACS LOCAL

aaa authentication secure-http-client

http server enable

http 10.205.4.152 255.255.255.255 mgmt

http 10.200.2.50 255.255.255.255 mgmt

http 10.205.4.0 255.255.255.0 mgmt

http 10.205.1.0 255.255.255.0 mgmt

crypto ipsec transform-set l2l-ts esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map emudet-map 10 match address MGMT-NAT

crypto map emudet-map 10 set peer 1.2.3.4

crypto map emudet-map 10 set transform-set emudet-ts

crypto map emudet-map 10 set security-association lifetime seconds 28800

crypto map emudet-map 10 set security-association lifetime kilobytes 4608000

crypto map emudet-map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 60

console timeout 0

management-access mgmt

dhcpd lease 28800

!

dhcpd address 198.109.*.*-198.109.*.* inside

dhcpd dns *.*.*.* *.*.*.* interface inside

dhcpd option 3 ip 198.109.*.* interface inside

dhcpd enable inside

!

dhcpd address 10.200.2.150-10.200.2.250 mgmt

dhcpd option 3 ip 10.200.2.1 interface mgmt

dhcpd option 43 hex f1100acdd8490acdd84a0acdd8420acdd84b interface mgmt

dhcpd enable mgmt

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.205.4.44 source mgmt

tftp-server mgmt 10.205.4.152 ciscoasa.cfg

tunnel-group *.*.*.* type ipsec-l2l

tunnel-group *.*.*.* ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9712922186489fdd06641ae1b84a778c

: end

tamoorlatif · ‎03-06-2013

Hi,

I see you have "nat-control" enabled in addition to nat statements you mentioned above. I would remove below statements from configuration for testing purpose and see if it starts to work. Then add them in one by one to see which one is causing this issue, most likely it's going to be nat-control.

nat-control

nat (inside) 0 0.0.0.0 0.0.0.0

nat (mgmt) 0 0.0.0.0 0.0.0.0

clear xlate

XIE YAO · ‎03-06-2013

nat (mgmt) 0 0.0.0.0 0.0.0.0 will only work for outbound connection, from high to low.

while you need traffic from outside to mgmt (low to high).

try add:

static (mgmt, outside) 10.200.2.0 10.200.2.0 netmask 255.255.255.0

and make sure traffic is allowed on outside interface. (didn' see access-list OUTSIDE in your configuration)

Regards