09-21-2015 01:57 PM
Hi
I have configure a site to site VPN on an ASA, At the other site there is a Watchguard firewall. The VPN has not established. I have no isakmp or ipsec sessions established. Here i the config I am using, can anyone see if I am missing something, its my first VPN using the command line
object-group network SITEA
subnet 10.57.254.0 255.255.255.0
object-group network SITEB
NETWORK-OBJECT 10.254.10.0 255.255.255.0
crypto ikev1 enable outside
access-list VPN_TRAFFIC_ALLOWED extended permit ip object-group SITEA Object-Group SITEB
nat (inside,outside) source static SITEA SITEB destination static SITEA SITEB
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key X.X.X.X
exit
crypto ikev1 policy 10
authentication pre-share
Encryption AES 256
hash sha
lifetime 28800
crypto ipsec ikev1 transform-set TS-ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address VPN_TRAFFIC_ALLOWED
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set TS-ESP-AES-SHA
crypto map outside_map 1 interface outside
Solved! Go to Solution.
09-21-2015 03:24 PM
Hello.
Please correct the NAT-0 with this line:
nat (inside,outside) source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup
If you still experience issues send me the output from:
packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.10 detailed.
Regards,
09-21-2015 03:24 PM
Hello.
Please correct the NAT-0 with this line:
nat (inside,outside) source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup
If you still experience issues send me the output from:
packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.10 detailed.
Regards,
09-22-2015 01:30 PM
Hi
I have applied the no proxy arp option, it does not let me apply the route lookup, gets the following error "ERROR: Option route-lookup is only allowed for static identity case"
Below is the output of the packet trace
ciscoasa(config)# packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.1$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd59e2c50, priority=1, domain=permit, deny=false
hits=109880, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc outside
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside_Subnet
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.57.254.10/0 to X.X.X.X/14998
Forward Flow based lookup yields rule:
in id=0x7fffd59f90d0, priority=6, domain=nat, deny=false
hits=33352, user_data=0x7fffd5ba4270, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd52acfd0, priority=0, domain=nat-per-session, deny=true
hits=36976, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd5b9f080, priority=0, domain=inspect-ip-options, deny=true
hits=33358, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd5b9e930, priority=66, domain=inspect-icmp-error, deny=false
hits=1, user_data=0x7fffd59dae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 34449, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
09-22-2015 01:46 PM
Hello,
Please share with me the NAT rule you are trying to apply to I can review it.
Also, share with me the output from "show run NAT"; from the packet-tracer, I can see the VPN traffic is not hitting the NAT-0 statement yet.
The traffic is hitting this NAT rule "nat (inside,outside) dynamic interface"; which is the default rule for going out to the internet (PAT).
Try placing this statement at the very top of your NAT rules:
nat (inside,outside) 1 source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup
Please note that source and destination are static. Make sure you are applying the right statement. And note this part of the statement:
source static SITEA SITEA (You are translating SITEA to itself in order to make the NAT-0) On the original statement you are trying to translate SITEA to SITEB which is incorrect and therefore will give you the error "Option route-lookup is only allowed for static identity case"
09-22-2015 02:10 PM
Hi
I am trying to apply the following NAT, its actually meant to be site A to site B
nat (inside,outside)1 source static SITEA SITEB destination static SITEA SITEB no-proxy-arp
The rule is meant to ensure the VPN traffic is not natted
Heres the poutput of show run NAT
nat (inside,outside) source static SITEA SITEB destination static SITEA SITEB no-proxy-arp
!
object network Mgmt_Server
nat (inside,outside) static interface service tcp 3389 3389
object network Prime_1
nat (inside,outside) static interface service tcp https https
object network Inside_Subnet
nat (inside,outside) dynamic interface
09-22-2015 02:15 PM
Please apply the following configuration; Just copy and paste this configuration and run the packet-tracer again and the tunnel should come up.
no nat (inside,outside) source static SITEA SITEB destination static SITEA SITEB no-proxy-arp
nat (inside,outside) 1 source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup
packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.10 detailed.
09-22-2015 03:18 PM
Hi
Ive chaged the nat rule and this time it accepted the route-lookup option, however it still seems to hit the dynamic nat when doing the packet trace
ciscoasa(config)# packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.1$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc outside
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside_Subnet
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.57.254.10/0 to X.X.X.X/23408
Forward Flow based lookup yields rule:
in id=0x7fffd59f90d0, priority=6, domain=nat, deny=false
hits=33423, user_data=0x7fffd5ba4270, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd52acfd0, priority=0, domain=nat-per-session, deny=true
hits=37051, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd5b9f080, priority=0, domain=inspect-ip-options, deny=true
hits=33429, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd5b9e930, priority=66, domain=inspect-icmp-error, deny=false
hits=4, user_data=0x7fffd59dae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 34524, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
09-22-2015 03:21 PM
Please send me the actual "show run nat" after the configuration change. Remember to delete the old NAT applying this line:
no nat (inside,outside) source static SITEA SITEB destination static SITEA SITEB no-proxy-arp
Regards,
09-22-2015 03:34 PM
Hi
Yes I have deleted the old nat, heres the output
ciscoasa(config)# sh run nat
nat (inside,outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup
!
object network Mgmt_Server
nat (inside,outside) static interface service tcp 3389 3389
object network Prime_1
nat (inside,outside) static interface service tcp https https
object network Inside_Subnet
nat (inside,outside) dynamic interface
ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Mgmt_Server interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 679
2 (inside) to (outside) source static Prime_1 interface service tcp https https
translate_hits = 0, untranslate_hits = 281
3 (inside) to (outside) source dynamic Inside_Subnet interface
translate_hits = 33438, untranslate_hits = 62
09-22-2015 03:55 PM
Hello,
I think you might have an issue with your network objects, let's configure the NAT and a new set of objects from scratch.
object network SITEA_NAT
subnet 10.57.254.0 255.255.255.0
object network SITEB_NAT
subnet 10.254.10.0 255.255.255.0
no nat (inside,outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup
nat (inside,outside) source static SITEA_NAT SITEA_NAT destination static SITEB_NAT SITEB_NAT no-proxy-arp route-lookup
And replace the VPN ACL with
access-list VPN_TRAFFIC_ALLOWED extended permit ip object SITEA_NAT object SITEB_NAT
This should solve your issue, otherwise you could attach your running configuration.
09-23-2015 01:41 AM
Hi
Im not sure but I believe this could be the issue. I have 2 objects (mgmt server and Prime) part of the internal 10.57.254.0 subnet. The objects are configured for natting to the outside interface on different port numbers, this was initially to allow myself access to the servers from the outside
object network Mgmt_Server
nat (inside,outside) static interface service tcp 3389 3389
object network Prime_1
nat (inside,outside) static interface service tcp https https
Afterward I configured the VPN to site B and now I want these servers accessible from Site B. So I am now configuring a NO-NAT for the VPN traffic which includes those servers. The site A object group contains the subnet with the above servers.
Am I right in assuming I need to clear the object NATS for the servers and just leave the NO-NAT for the VPN
Thanks
09-23-2015 02:10 AM
So after clearing the nats for those servers I now get the following output from the packet trace. I have noticed the route lookup points to my internet gateway. Am I meant to have a route to the next hop of Site B for the siteB subnet
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SiteA SitteA destination static SiteB SiteB no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.254.0.10/0 to 10.254.0.10/0
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static ANS ANS destination static OPUS OPUS no-proxy-arp route-lookup
Additional Information:
Static translate 10.57.254.1/0 to 10.57.254.1/0
Forward Flow based lookup yields rule:
in id=0x7fffd5b95710, priority=6, domain=nat, deny=false
hits=2, user_data=0x7fffd5a016a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.254.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd52acfd0, priority=0, domain=nat-per-session, deny=true
hits=37537, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd5b9f080, priority=0, domain=inspect-ip-options, deny=true
hits=33857, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffd5b9e930, priority=66, domain=inspect-icmp-error, deny=false
hits=13, user_data=0x7fffd59dae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffd5cef860, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0x7fffd51375e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.254.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 34974, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
09-23-2015 06:45 AM
According to this packer-tracer the NAT-0 is now working. Now it seems the traffic is not hitting the crypto process. Please send me these outputs:
1. show run crypto
2. show access-list VPN_TRAFFIC_ALLOWED
Regards,
09-24-2015 03:05 PM
Hi
Here are the outputs
ciscoasa# sh run crypto
crypto ipsec ikev1 transform-set TS-ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set TS-ESP-AES-SHA
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
ciscoasa# SH access-list VPN_TRAFFIC_ALLOWED
access-list VPN_TRAFFIC_ALLOWED; 14 elements; name hash: 0x6e81142a
access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip object-group SiteA object-group WIRELESS (hitcnt=0) 0xaf3f60c9
access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip 10.57.254.0 255.255.255.0 10.50.240.0 255.255.254.0 (hitcnt=0) 0x738bf07a
access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip 10.57.254.0 255.255.255.0 10.80.240.0 255.255.255.0 (hitcnt=0) 0x784a1ac9
access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip 10.57.254.0 255.255.255.0 10.70.220.0 255.255.254.0 (hitcnt=0) 0xcfc0efc0
access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip 10.57.254.0 255.255.255.0 172.27.172.0 255.255.255.0 (hitcnt=0) 0xf3b14c38
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip object-group SiteA object-group SiteB (hitcnt=0) 0x7044c160
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.254.0.0 255.255.255.0 (hitcnt=0) 0x00f8f078
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.255.0.0 255.255.255.0 (hitcnt=0) 0xea91957d
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.19.0.0 255.255.0.0 (hitcnt=0) 0xe0dccd0c
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.20.0.0 255.255.0.0 (hitcnt=0) 0xa6eb0555
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.50.0.0 255.255.0.0 (hitcnt=0) 0x5487a1df
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.55.0.0 255.255.0.0 (hitcnt=0) 0x6c7514cd
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.60.0.0 255.255.0.0 (hitcnt=0) 0x909a6bf0
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.70.0.0 255.255.0.0 (hitcnt=0) 0xcd5ea52b
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.80.0.0 255.255.0.0 (hitcnt=0) 0x1c0a83f3
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.90.0.0 255.255.0.0 (hitcnt=0) 0x22915b53
By the way, although I have mentioned just the one subnet for simplicity, there are actually a few different subnets at site B
09-28-2015 02:44 PM
Hello
Were you able to resolve the issue yet?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: