Solved: ASA to Juniper VPN with Policy NAT

james_harrell · ‎08-07-2012

I am trying to configure a VPN tunnel between my client network 192.168.190.0/24 and a remote site 66.18.106.160/27. I need to NAT all traffic leaving 192.168.190.0/24 to 192.168.191.0/24.

Here is my current config:

hostname xxxxx

domain-name xxxxx.local
enable password xxxxx encrypted
passwd xxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.190.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.98.218.26 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface Vlan12
description backup for interface vlan2
nameif CharterBackup
security-level 0
ip address 72.14.9.50 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx.local
access-list 110 extended permit ip 192.168.190.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 110 extended permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list 110 extended permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list 100 extended permit tcp any host 207.98.218.27 eq 3389
access-list 100 extended permit tcp any host 207.98.218.28 eq 3389
access-list 100 extended permit tcp any host 207.98.218.27 eq 9000
access-list 100 extended permit tcp any host 207.98.218.27 eq 9001
access-list 100 extended permit tcp any host 207.98.218.28 eq 9000
access-list 100 extended permit tcp any host 207.98.218.28 eq 9001
access-list split standard permit 192.168.190.0 255.255.255.0
access-list POLICYNAT extended permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224
access-list VPN extended permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu CharterBackup 1500
ip local pool vpnpool 192.168.10.75-192.168.10.85
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (CharterBackup) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.191.0 access-list POLICYNAT
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 207.98.218.25 1 track 1
route CharterBackup 0.0.0.0 0.0.0.0 71.14.9.49 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.190.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
timeout 1000
frequency 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set romanset esp-des esp-md5-hmac
crypto ipsec transform-set AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set romanset
crypto map romanmap 10 match address VPN
crypto map romanmap 10 set peer 66.18.99.68
crypto map romanmap 10 set transform-set AES-128-SHA
crypto map romanmap 65535 ipsec-isakmp dynamic dynmap
crypto map romanmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 CharterBackup
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.100.100-192.168.100.130 DMZ
dhcpd enable DMZ
!

group-policy xxxxx internal
group-policy xxxxx attributes
wins-server value 192.168.190.3
dns-server value 192.168.190.3
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
tunnel-group xxxxx type ipsec-ra
tunnel-group xxxxx general-attributes
address-pool vpnpool
default-group-policy romangroup
tunnel-group xxxxx ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group 66.18.99.68 type ipsec-l2l
tunnel-group 66.18.99.68 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

Currently, traffic which originates on 192.168.190.0/24 generates no phase 1 traffic. However, if traffic originates fro the remote side (66.18.106.160/27) the tunnel comes up, but no traffic passes.

Although this is not my area of expertise, it seems to me that my ASA is not "seeing" interesting traffic originating from 192.168.190.0/24 going to 66.18.106.160/27.

Any assistance you could provide would be GREATLY appreciated.

Jennifer Halim · ‎08-08-2012

Just remove the following 2 lines:

access-list 110 extended permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224

access-list 110 extended permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224

Then "clear xlate".

That should resolve your issue.

View solution in original post

Jennifer Halim · ‎08-08-2012

Just remove the following 2 lines:

access-list 110 extended permit ip 192.168.190.0 255.255.255.0 66.18.106.160 255.255.255.224

access-list 110 extended permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224

Then "clear xlate".

That should resolve your issue.

james_harrell · ‎08-08-2012

Jennifer,

Thanks, but that did not resolve the isue. I still have no phase 1 traffic.

James

Jennifer Halim · ‎08-08-2012

If the remote end initiates the traffic, does it bring both phase 1 and phase 2 and is the traffic passing now?

Can you pls share the config from remote end.

james_harrell · ‎08-08-2012

If the remote end initiates traffic, the tunnel forms. However traffic does not pass. As I look at statistics, my end decrypts as they send packets, but does not encrypt for the return traffic.

If my end sends traffic, the tunnel never forms.

I do not have access to the remot eend, and they are not very cooperative in sharing the config.

Since the tunnel forms when they initiate traffic, but I cannot form or return - does that not indicate an "interesting traffic" issue at my end?

Jennifer Halim · ‎08-08-2012

Crypto ACL needs to mirror image on both end, and sounds like it might not have mirror image. Without knowing what is exactly configured on the remote end, we can't be sure if it is mirror image or not.

Also, the remote end might be configured to only allow it to initiate the tunnel, and does not allow your ASA to initiate the tunnel towards the Juniper end.

Try to run the following debug on the ASA to see if we can spot any further error:

debug cry isa

debug cry ipsec

james_harrell · ‎08-08-2012

no debug info shows.

Here is all the other end has sent me:

remote LAN - 192.168.191.0/24

local LAN - 66.18.106.160/27

Gateway - 207.98.218.26

Phase 1

Authentication - Pre-Share

DH Group - 2

Encryption AES-CBC (128)

Hash - SHA1

LIfetime 86400

Phase 2

PFS - NO

Encryption - AES-CBC(128)

Authentication Algorithm - SHA1

Authentication Algorithm - MD5

I hve sent an email requesting verification of:

1. That their end is in Main M0de

2. That they are permitting all ip traffic from 66.18.160.160/27 to 192.168.191.0/24

3. That they are set for bi-directional establishement of the tunnel

Jennifer Halim · ‎08-08-2012

Phase 2, authentication algorithm should only be SHA1, not SHA1 and MD5.

When they try to initiate the tunnel, pls run debugs on your ASA. Also share the output of: show cry isa sa, and show cry ipsec sa.

james_harrell · ‎08-08-2012

OK, here is really strange.

I turned on debug and asked that they initiate the traffic. The tunnel came up and traffic now passes. However, if the tunnel times out, I cannot initiate the traffic.

Do you still want the Debugs?

Jennifer Halim · ‎08-08-2012

yes pls

james_harrell · ‎08-08-2012

RomanInternalMedicine# sho crypto isakmp sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 207.98.229.154
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 66.18.99.68
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
RomanInternalMedicine# sho crypto ipsec sa
interface: outside
    Crypto map tag: dynmap, seq num: 10, local addr: 207.98.218.26

      local ident (addr/mask/prot/port): (192.168.190.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.100.0/255.255.255.0/0/0)
      current_peer: 207.98.229.154

      #pkts encaps: 1349, #pkts encrypt: 1349, #pkts digest: 1349
      #pkts decaps: 1349, #pkts decrypt: 1349, #pkts verify: 1349
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1349, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 207.98.218.26, remote crypto endpt.: 207.98.229.154

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 6A53A558

    inbound esp sas:
      spi: 0x89DE6137 (2313052471)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: dynmap
         sa timing: remaining key lifetime (kB/sec): (4274920/27446)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x6A53A558 (1783866712)
         transform: esp-des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2, crypto-map: dynmap
         sa timing: remaining key lifetime (kB/sec): (4274920/27445)
         IV size: 8 bytes
         replay detection support: Y

Crypto map tag: romanmap, seq num: 10, local addr: 207.98.218.26

      access-list VPN permit ip 192.168.191.0 255.255.255.0 66.18.106.160 255.255.255.224
      local ident (addr/mask/prot/port): (192.168.191.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (66.18.106.160/255.255.255.224/0/0)
      current_peer: 66.18.99.68

      #pkts encaps: 600, #pkts encrypt: 600, #pkts digest: 600
      #pkts decaps: 600, #pkts decrypt: 600, #pkts verify: 600
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 600, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 207.98.218.26, remote crypto endpt.: 66.18.99.68

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: CE9B009B

    inbound esp sas:
      spi: 0x363C733C (909931324)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: romanmap
         sa timing: remaining key lifetime (sec): 27884
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCE9B009B (3466264731)
         transform: esp-aes esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 3, crypto-map: romanmap
         sa timing: remaining key lifetime (sec): 27884
         IV size: 16 bytes
         replay detection support: Y

Jennifer Halim · ‎08-08-2012

and the debugs output?

james_harrell · ‎08-08-2012

Jennifer,

Thanks for your help. Here is the solution. Correct the NAt 0 list as your suggested. And re-confirm (as I had done) that the other end was set for bi-directional tunnel formation.

Of course, they canged nothing (wink,wink)

Tunnel is up and traffic is passing

Jennifer Halim · ‎08-08-2012

LOL, that's what they always say

Great to hear all is good now.

james_harrell · ‎08-08-2012

Sad, but true.... thanks again

James