cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3851
Views
15
Helpful
11
Replies

ASA: Site-to-Site VPN with NAT/PAT Interesting Traffic

shugonaka
Level 1
Level 1

Hi, I would like to get some help with troubleshooting a Site-to-Site VPN connectivity between two ASAs on a lab environment (GNS3). I have the VPN set up on each site to NAT/PAT their internal subnet to a specific IP address, but it does not work. When I user the mapped address as the interesting traffic, it does not establish a VPN tunnel, and I am not sure what I am doing wrong. I pasted the relevant configuration for both ASA below. I suppose it must be something pretty simple and yet I can't seem to figure it out. I appreciate any help!

 

Site A outside IP is 50.50.50.2 (Internet G0/0 is 50.50.50.1)

Site B outside IP is 60.60.60.2 (Internet G0/1 is 60.60.60.1)

Site A and Site B can ping each other outside IP.

Site A inside subnet is NAT/PAT to 50.50.50.3

Site B inside subnet is NAT/PAT to 60.60.60.3

 

vpn-pat-overlapping-subnets.jpeg.jpg

 

ASA Site A:

ASA Version 9.7(1)4
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 50.50.50.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.16.0.1 255.255.0.0
!
object network obj-siteA-real
subnet 10.16.0.0 255.255.0.0
object network obj-siteA-map
host 50.50.50.3
object network obj-siteB-real
subnet 10.10.0.0 255.255.0.0
object network obj-siteB-map
host 60.60.60.3
object-group service ogs-srv-icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute

access-list acl-outside-in extended permit object-group ogs-srv-icmp object obj-siteB-map

any log
access-list acl-outside-in extended deny ip any any log
access-list acl-enc-domain-siteB extended permit ip object obj-siteA-map object obj-

siteB-map

nat (inside,outside) source dynamic obj-siteA-real obj-siteA-map destination static obj-

siteB-map obj-siteB-map
!
object network obj-siteA-real
nat (inside,outside) dynamic interface
access-group acl-outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.50.50.1 1

no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal ts-aes256-sha256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map cmap-outside 1 match address acl-enc-domain-siteB
crypto map cmap-outside 1 set peer 60.60.60.2
crypto map cmap-outside 1 set ikev2 ipsec-proposal ts-aes256-sha256
crypto map cmap-outside 1 set security-association lifetime seconds 28800
crypto map cmap-outside interface outside

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group 60.60.60.2 type ipsec-l2l
tunnel-group 60.60.60.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp

 


ASA Site B:

ASA Version 9.7(1)4
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 60.60.60.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.0.1 255.255.0.0
!
object network obj-siteB-real
subnet 10.10.0.0 255.255.0.0
object network obj-siteB-map
host 60.60.60.3
object network obj-siteA-real
subnet 10.16.0.0 255.255.0.0
object network obj-siteA-map
host 50.50.50.3
object service obj-icmp
service icmp
object-group service ogs-srv-icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
access-list acl-outside-in extended permit object-group ogs-srv-icmp object obj-siteA-map

any log
access-list acl-outside-in extended deny ip any any log
access-list acl-enc-domain-siteA extended permit ip object obj-siteB-map object obj-

siteA-map

nat (inside,outside) source dynamic obj-siteB-real obj-siteB-map destination static obj-

siteA-map obj-siteA-map
!
object network obj-siteB-real
nat (inside,outside) dynamic interface
access-group acl-outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 60.60.60.1 1


no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal ts-aes256-sha256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map cmap-outside 1 match address acl-enc-domain-siteA
crypto map cmap-outside 1 set peer 50.50.50.2
crypto map cmap-outside 1 set ikev2 ipsec-proposal ts-aes256-sha256
crypto map cmap-outside 1 set security-association lifetime seconds 28800
crypto map cmap-outside interface outside

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group 50.50.50.2 type ipsec-l2l
tunnel-group 50.50.50.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp

 

 

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

 

can you post show crypto isakmp sa from bot the sides

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

This is all I get on both sides, initiating ping to ping from each PC.

 

sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

When ping from the PC on one site to the PC on the other site, the count on ACL for interesting traffic does not increase. Also, the counter on the manual-AT does not increase. I see the counter increase on auto-NAT. It is the same on both ends.

Hi,
What you are attempting to do won't work. You are pinging from Site A PC, which is an IP address within the range defined in the object "obj-siteA-real" (10.16.0.0/16) which is natted behind "obj-siteA-map" (50.50.50.3) to the destination object "obj-siteB-map" (60.60.60.30) - On Site B the object "obj-siteB-map" NATs to the entire Site B network object obj-siteB-real (10.10.0.0/16). Therefore the ASA is not going to know the intended destination is actually the Site B PCs IP address. You would need to create 1-2-1 static nat(s). Source would be static not dynamic.

HTH

@Rob Ingram, thanks for the explanation. I think I now understand why it's not working, but I am still not able to get the communication going between the sites through the VPN after trying different 1-to-1 static NAT configurations. After making changes on NAT and ACL for interesting traffic, I see the counts on NAT and ACL increased but still no VPN established. Is it at all possible for two sites to establish VPN when they both NAT'ing internal network behind a single public IP? Would you be able to share some configuration example so I can understand it better? Thank you!

After playing more with NAT configuration, I was able to get the VPN tunnel come up between the sites but still unable to ping internal PC from each end. I am guessing the second NAT statement below is the problem because the ASA does not know which internal obj-siteA-real/obj-siteB-real host it can translate obj-siteA-map/obj-siteB-map to. I can't seem to figure this out on my own. Any help would be appreciated!

 

The NAT config now looks like this.

ASA Site A:
nat (inside,outside) source dynamic obj-siteA-real obj-siteA-map destination static obj-siteB-real obj-siteB-map
nat (outside,inside) source static obj-siteB-map obj-siteB-map destination static obj-siteA-map obj-siteA-real
!
object network obj-siteA-real
nat (inside,outside) dynamic interface

 

ASA Site B:
nat (inside,outside) source dynamic obj-siteB-real obj-siteB-map destination static obj-siteA-real obj-siteA-map
nat (outside,inside) source static obj-siteA-map obj-siteA-map destination static obj-siteB-map obj-siteB-real
!
object network obj-siteB-real
nat (inside,outside) dynamic interface

 

Here's sh crypto isakmp sa output for site A and site B.

 

Site A:
IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
3937313 60.60.60.2/500 50.50.50.2/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/291 sec
Child sa: local selector 60.60.60.3/0 - 60.60.60.3/65535
remote selector 50.50.50.3/0 - 50.50.50.3/65535
ESP spi in/out: 0xf1afed7c/0xae38003d

 

Site B:

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
3937313 60.60.60.2/500 50.50.50.2/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/291 sec
Child sa: local selector 60.60.60.3/0 - 60.60.60.3/65535
remote selector 50.50.50.3/0 - 50.50.50.3/65535
ESP spi in/out: 0xf1afed7c/0xae38003d

 

You should configure you nat rules from highest security level (inside) to lowest (outside). Remove your existing nat rules and try this.

 

Site A

 

object network SiteA-PC
host 10.16.0.10

object network obj-siteA-map
host 50.50.50.3

 

nat (INSIDE,OUTSIDE) source static SiteA-PC obj-siteA-map destination static obj-siteB-map obj-siteB-map

 

Site B

 

object network SiteB-PC
host 10.10.0.10

object network obj-siteB-map
host 60.60.60.3

nat (INSIDE,OUTSIDE) source static SiteB-PC obj-siteB-map destination static obj-siteA-map obj-siteA-map

 

HTH

@Rob IngramThanks again for your help. After updating the NAT config as you suggested, the PC on each site were able to pint each other. That's good. However what I have been trying to get working is NAT'ing the entire subnet to a single IP address on both sites. So for Site A NAT 10.16.0.0/24 to 50.50.50.3 and Site B NAT 10.10.0.0/24 to 60.60.60.3 when traversing the VPN tunnel. Is it possible set up a VPN like this?

 

On one site's ASA create a new NAT rule, use a network/subnet object as the original source instead of the host object you have now. On the other sites' ASA you would still need a 1-2-1 nat in order for the ASA to know what to do with it. All outbound traffic would be natted behind that 1 IP address towards the destination NAT. Add additional nat rules as required.

I replaced the source objects host with the subnet (10.16.0.0/24 and 10.10.0.0/24) on each ASA and added the following static NAT. The VPN comes up if I ping the NAT address (50.50.50.3 or 60.60.60.3) from either end but ping still does not go through between the subnets. What am I missing?

 

Site A:

nat (inside,outside) source static obj-siteA-real obj-siteA-map destination static obj-siteB-map obj-siteB-map
nat (inside,outside) source static obj-siteB-map obj-siteB-map destination static obj-siteA-real obj-siteA-real

SiteB:

nat (inside,outside) source static obj-siteB-real obj-siteB-map destination static obj-siteA-map obj-siteA-map
nat (inside,outside) source static obj-siteA-map obj-siteA-map destination static obj-siteB-real obj-siteB-real

Did you get it to work?  What was the final config?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: