Solved: Cisco ASA NAT-T VPN issue

storm1kk · ‎01-30-2019

Hello!

I have a new Cisco ASA VPN configuration, it's different from I did before - it's behind NAT and I need some advices if it possible.

So, I have next structure:

Site A:

ASAv (192.168.100.2) -> 1to1 NAT -> VMware Edge Gateway Services -> 1to1 NAT -> Fortigate -> Public address (PUB1)

Site B:

ASA (PUB2) - it's OK.

And I can't create an IPsec between this two sites, ASAv doesn't want to create Phase1 (no messages in debug, PT got en error on VPN phase, also I have some strange sort of asp drops).

ASAv VPN configuration:

crypto map outside 1 match address vpn-acl

crypto map outside 1 set pfs

crypto map outside 1 set peer %PUB2%

crypto map outside 1 set ikev1 transform-set aes256-sha1

crypto map outside interface outside

tunnel-group %PUB2% type ipsec-l2l

tunnel-group %PUB2% ipsec-attributes

ikev1 pre-shared-key *****

access-list vpn-acl extended permit ip object-group local object-group remote log disable

packet-tracer input inside tcp (ip from local object-group) 5555 (ip from remote object-group) 4444

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.100.1 using egress ifc outside

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote remote no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate (ip from local object-group)/5555 to (ip from local object-group)/5555

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_in in interface inside

access-list inside_in extended permit ip any any

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote remote no-proxy-arp route-lookup

Additional Information:

Static translate (ip from remote object-group)/5555 to (ip from remote object-group)/5555

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

sh asp drop

Frame drop:

Flow is denied by configured rule (acl-drop) 21

IKE new SA limit exceeded (ike-sa-rate-limit) 12

Last clearing: 09:31:40 UTC Jan 30 2019 by enable_15

Flow drop:

Need to start IKE negotiation (need-ike) 42

NAT-T enabled. Ping is OK - site A can ping site B and src&dst are correct.

I'm confused because I have no messages in debug log and I have strange asp drops.

Please, help me to resolve this.

storm1kk · ‎01-30-2019

Fixed.

Need to be enabled ikev1.

crypto ikev1 enable outside

View solution in original post

Sheraz.Salim · ‎01-30-2019

NAT-T is globally enable on the security appliance by default automatically detect NAT and change the phase 1 upd 500 in to 4500.

but load the config of the firewall.

please do not forget to rate.

storm1kk · ‎01-30-2019

sh run

: Saved

:

: Serial Number:

: Hardware: ASAv, 1536 MB RAM, CPU Xeon E5 series 2600 MHz

:

ASA Version 9.10(1)

!

hostname smartcloud

enable password ***** pbkdf2

names

no mac-address auto

!

interface GigabitEthernet0/0

description

nameif outside

security-level 100

ip address 192.168.100.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address %local_addr% 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

object-group network local

network-object %local_subnet% 255.255.255.0

object-group network remote

network-object %remote_subnet% 255.255.255.0

access-list outside_in extended permit ip any any

access-list vpn-acl extended permit ip object-group local object-group remote log disable

access-list inside_in extended permit ip any any

access-list inside_out extended permit ip any any

access-list outside_out extended permit ip any any

pager lines 23

logging enable

logging timestamp

logging buffer-size 52428800

logging buffered debugging

logging trap debugging

logging facility 23

logging debug-trace

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (inside,outside) source static local ocal destination static remote remote no-proxy-arp route-lookup

access-group outside_in in interface outside

access-group outside_out out interface outside

access-group inside_in in interface inside

access-group inside_out out interface inside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set aes256-sha1 esp-aes-256 esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map outside 1 match address vpn-acl

crypto map outside 1 set pfs

crypto map outside 1 set peer %PUB2%

crypto map outside 1 set ikev1 transform-set aes256-sha1

crypto map outside interface outside

crypto ca trustpool policy

auto-import

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh stricthostkeycheck

ssh %IP_ADDR% 255.255.255.255 outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group14-sha1

console timeout 5

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username %USERNAME% password ***** pbkdf2

tunnel-group %PUB2% type ipsec-l2l

tunnel-group %PUB2% ipsec-attributes

ikev1 pre-shared-key *****

!

prompt hostname context

call-home

profile License

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

Cryptochecksum:eba89603857917c74cbbe89e3b0cae96

: end

Sheraz.Salim · ‎01-30-2019

configuration look ok to me.

when you do a packet tracker after giving command can you show us the out of theses command

show crypto ikev1 sa / show crypto isakmp sa

show crypto ipsec

!

also ask the other side to sent a packet to its interested ACL.

please do not forget to rate.

storm1kk · ‎01-30-2019

After PT command I see nothing in sh cry ikev1 sa.

But I see interesting things in logs:

Jan 30 2019 12:40:39: %ASA-7-609001: Built local-host inside:LOCAL_IP
Jan 30 2019 12:40:39: %ASA-7-609001: Built local-host outside:REMOTE_IP
Jan 30 2019 12:40:39: %ASA-7-609002: Teardown local-host inside:LOCAL_IP duration 0:00:00
Jan 30 2019 12:40:39: %ASA-7-609002: Teardown local-host outside:REMOTE_IPduration 0:00:00

Also, after attemtion from other side:

Jan 30 2019 12:44:29: %ASA-7-710005: UDP request discarded from PUB2/500 to outside:192.168.100.2/500

What does it mean? Nat-T is not working or ?

storm1kk · ‎01-30-2019

Fixed.

Need to be enabled ikev1.

crypto ikev1 enable outside