10-21-2019 10:56 AM
Hi, I would like to get some help with troubleshooting a Site-to-Site VPN connectivity between two ASAs on a lab environment (GNS3). I have the VPN set up on each site to NAT/PAT their internal subnet to a specific IP address, but it does not work. When I user the mapped address as the interesting traffic, it does not establish a VPN tunnel, and I am not sure what I am doing wrong. I pasted the relevant configuration for both ASA below. I suppose it must be something pretty simple and yet I can't seem to figure it out. I appreciate any help!
Site A outside IP is 50.50.50.2 (Internet G0/0 is 50.50.50.1)
Site B outside IP is 60.60.60.2 (Internet G0/1 is 60.60.60.1)
Site A and Site B can ping each other outside IP.
Site A inside subnet is NAT/PAT to 50.50.50.3
Site B inside subnet is NAT/PAT to 60.60.60.3
ASA Site A:
ASA Version 9.7(1)4
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 50.50.50.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.16.0.1 255.255.0.0
!
object network obj-siteA-real
subnet 10.16.0.0 255.255.0.0
object network obj-siteA-map
host 50.50.50.3
object network obj-siteB-real
subnet 10.10.0.0 255.255.0.0
object network obj-siteB-map
host 60.60.60.3
object-group service ogs-srv-icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
access-list acl-outside-in extended permit object-group ogs-srv-icmp object obj-siteB-map
any log
access-list acl-outside-in extended deny ip any any log
access-list acl-enc-domain-siteB extended permit ip object obj-siteA-map object obj-
siteB-map
nat (inside,outside) source dynamic obj-siteA-real obj-siteA-map destination static obj-
siteB-map obj-siteB-map
!
object network obj-siteA-real
nat (inside,outside) dynamic interface
access-group acl-outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.50.50.1 1
no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal ts-aes256-sha256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map cmap-outside 1 match address acl-enc-domain-siteB
crypto map cmap-outside 1 set peer 60.60.60.2
crypto map cmap-outside 1 set ikev2 ipsec-proposal ts-aes256-sha256
crypto map cmap-outside 1 set security-association lifetime seconds 28800
crypto map cmap-outside interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 60.60.60.2 type ipsec-l2l
tunnel-group 60.60.60.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
ASA Site B:
ASA Version 9.7(1)4
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 60.60.60.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.0.1 255.255.0.0
!
object network obj-siteB-real
subnet 10.10.0.0 255.255.0.0
object network obj-siteB-map
host 60.60.60.3
object network obj-siteA-real
subnet 10.16.0.0 255.255.0.0
object network obj-siteA-map
host 50.50.50.3
object service obj-icmp
service icmp
object-group service ogs-srv-icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
access-list acl-outside-in extended permit object-group ogs-srv-icmp object obj-siteA-map
any log
access-list acl-outside-in extended deny ip any any log
access-list acl-enc-domain-siteA extended permit ip object obj-siteB-map object obj-
siteA-map
nat (inside,outside) source dynamic obj-siteB-real obj-siteB-map destination static obj-
siteA-map obj-siteA-map
!
object network obj-siteB-real
nat (inside,outside) dynamic interface
access-group acl-outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 60.60.60.1 1
no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal ts-aes256-sha256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map cmap-outside 1 match address acl-enc-domain-siteA
crypto map cmap-outside 1 set peer 50.50.50.2
crypto map cmap-outside 1 set ikev2 ipsec-proposal ts-aes256-sha256
crypto map cmap-outside 1 set security-association lifetime seconds 28800
crypto map cmap-outside interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 50.50.50.2 type ipsec-l2l
tunnel-group 50.50.50.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
10-21-2019 11:58 AM - edited 10-21-2019 11:59 AM
can you post show crypto isakmp sa from bot the sides
10-21-2019 12:50 PM
This is all I get on both sides, initiating ping to ping from each PC.
sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
10-21-2019 12:58 PM
When ping from the PC on one site to the PC on the other site, the count on ACL for interesting traffic does not increase. Also, the counter on the manual-AT does not increase. I see the counter increase on auto-NAT. It is the same on both ends.
10-21-2019 02:54 PM
10-22-2019 08:21 AM
@Rob Ingram, thanks for the explanation. I think I now understand why it's not working, but I am still not able to get the communication going between the sites through the VPN after trying different 1-to-1 static NAT configurations. After making changes on NAT and ACL for interesting traffic, I see the counts on NAT and ACL increased but still no VPN established. Is it at all possible for two sites to establish VPN when they both NAT'ing internal network behind a single public IP? Would you be able to share some configuration example so I can understand it better? Thank you!
10-22-2019 10:20 AM
After playing more with NAT configuration, I was able to get the VPN tunnel come up between the sites but still unable to ping internal PC from each end. I am guessing the second NAT statement below is the problem because the ASA does not know which internal obj-siteA-real/obj-siteB-real host it can translate obj-siteA-map/obj-siteB-map to. I can't seem to figure this out on my own. Any help would be appreciated!
The NAT config now looks like this.
ASA Site A:
nat (inside,outside) source dynamic obj-siteA-real obj-siteA-map destination static obj-siteB-real obj-siteB-map
nat (outside,inside) source static obj-siteB-map obj-siteB-map destination static obj-siteA-map obj-siteA-real
!
object network obj-siteA-real
nat (inside,outside) dynamic interface
ASA Site B:
nat (inside,outside) source dynamic obj-siteB-real obj-siteB-map destination static obj-siteA-real obj-siteA-map
nat (outside,inside) source static obj-siteA-map obj-siteA-map destination static obj-siteB-map obj-siteB-real
!
object network obj-siteB-real
nat (inside,outside) dynamic interface
Here's sh crypto isakmp sa output for site A and site B.
Site A:
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
3937313 60.60.60.2/500 50.50.50.2/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/291 sec
Child sa: local selector 60.60.60.3/0 - 60.60.60.3/65535
remote selector 50.50.50.3/0 - 50.50.50.3/65535
ESP spi in/out: 0xf1afed7c/0xae38003d
Site B:
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
3937313 60.60.60.2/500 50.50.50.2/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/291 sec
Child sa: local selector 60.60.60.3/0 - 60.60.60.3/65535
remote selector 50.50.50.3/0 - 50.50.50.3/65535
ESP spi in/out: 0xf1afed7c/0xae38003d
10-22-2019 11:01 AM
You should configure you nat rules from highest security level (inside) to lowest (outside). Remove your existing nat rules and try this.
Site A
object network SiteA-PC
host 10.16.0.10
object network obj-siteA-map
host 50.50.50.3
nat (INSIDE,OUTSIDE) source static SiteA-PC obj-siteA-map destination static obj-siteB-map obj-siteB-map
Site B
object network SiteB-PC
host 10.10.0.10
object network obj-siteB-map
host 60.60.60.3
nat (INSIDE,OUTSIDE) source static SiteB-PC obj-siteB-map destination static obj-siteA-map obj-siteA-map
HTH
10-22-2019 12:18 PM
@Rob IngramThanks again for your help. After updating the NAT config as you suggested, the PC on each site were able to pint each other. That's good. However what I have been trying to get working is NAT'ing the entire subnet to a single IP address on both sites. So for Site A NAT 10.16.0.0/24 to 50.50.50.3 and Site B NAT 10.10.0.0/24 to 60.60.60.3 when traversing the VPN tunnel. Is it possible set up a VPN like this?
10-22-2019 01:07 PM
10-22-2019 01:53 PM
I replaced the source objects host with the subnet (10.16.0.0/24 and 10.10.0.0/24) on each ASA and added the following static NAT. The VPN comes up if I ping the NAT address (50.50.50.3 or 60.60.60.3) from either end but ping still does not go through between the subnets. What am I missing?
Site A:
nat (inside,outside) source static obj-siteA-real obj-siteA-map destination static obj-siteB-map obj-siteB-map
nat (inside,outside) source static obj-siteB-map obj-siteB-map destination static obj-siteA-real obj-siteA-real
SiteB:
nat (inside,outside) source static obj-siteB-real obj-siteB-map destination static obj-siteA-map obj-siteA-map
nat (inside,outside) source static obj-siteA-map obj-siteA-map destination static obj-siteB-real obj-siteB-real
02-25-2022 07:55 AM
Did you get it to work? What was the final config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide