cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1617
Views
0
Helpful
5
Replies

Cisco ASA NAT-T VPN issue

storm1kk
Level 1
Level 1

Hello!

 

I have a new Cisco ASA VPN configuration, it's different from I did before - it's behind NAT and I need some advices if it possible.

 

So, I have next structure:

 

Site A: 

ASAv (192.168.100.2) -> 1to1 NAT -> VMware Edge Gateway Services -> 1to1 NAT -> Fortigate -> Public address (PUB1)

Site B:

ASA (PUB2) - it's OK.

 

And I can't create an IPsec between this two sites, ASAv doesn't want to create Phase1 (no messages in debug, PT got en error on VPN phase, also I have some strange sort of asp drops).

 

ASAv VPN configuration:

 

crypto map outside 1 match address vpn-acl

crypto map outside 1 set pfs 

crypto map outside 1 set peer %PUB2% 

crypto map outside 1 set ikev1 transform-set aes256-sha1

crypto map outside interface outside

 

tunnel-group %PUB2% type ipsec-l2l

tunnel-group %PUB2% ipsec-attributes

 ikev1 pre-shared-key *****

 

access-list vpn-acl extended permit ip object-group local object-group remote log disable

 

packet-tracer input inside tcp (ip from local object-group) 5555 (ip from remote object-group) 4444

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.100.1 using egress ifc  outside

 

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote remote no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate (ip from local object-group)/5555 to (ip from local object-group)/5555

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_in in interface inside

access-list inside_in extended permit ip any any 

Additional Information:

 

Phase: 4

Type: NAT

Subtype: 

Result: ALLOW

Config:

nat (inside,outside) source static local local destination static remote remote no-proxy-arp route-lookup

Additional Information:

Static translate (ip from remote object-group)/5555 to (ip from remote object-group)/5555

 

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 6

Type: IP-OPTIONS

Subtype: 

Result: ALLOW 

Config:

Additional Information:

 

Phase: 7

Type: QOS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

 

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

sh asp drop

 

Frame drop:

  Flow is denied by configured rule (acl-drop)                                21

  IKE new SA limit exceeded (ike-sa-rate-limit)                               12

 

Last clearing: 09:31:40 UTC Jan 30 2019 by enable_15

 

Flow drop:

  Need to start IKE negotiation (need-ike)                                    42

 

 

NAT-T enabled. Ping is OK - site A can ping site B and src&dst are correct.

 

I'm confused because I have no messages in debug log and I have strange asp drops.

 

Please, help me to resolve this.

 

1 Accepted Solution

Accepted Solutions

Fixed.

 

Need to be enabled ikev1.

 

crypto ikev1 enable outside

View solution in original post

5 Replies 5

NAT-T is globally enable on the security appliance by default automatically detect NAT and change the phase 1 upd 500 in to  4500.

 

but load the config of the firewall.

 

please do not forget to rate.

sh run

: Saved

 

: 

: Serial Number: 

: Hardware:   ASAv, 1536 MB RAM, CPU Xeon E5 series 2600 MHz

:

ASA Version 9.10(1) 

!

hostname smartcloud

enable password ***** pbkdf2

names

no mac-address auto

 

!

interface GigabitEthernet0/0

 description 

 nameif outside

 security-level 100

 ip address 192.168.100.2 255.255.255.0 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address %local_addr% 255.255.255.0 

!            

ftp mode passive

same-security-traffic permit inter-interface

object-group network local

 network-object %local_subnet% 255.255.255.0

object-group network remote

 network-object %remote_subnet% 255.255.255.0

access-list outside_in extended permit ip any any 

access-list vpn-acl extended permit ip object-group local object-group remote log disable 

access-list inside_in extended permit ip any any 

access-list inside_out extended permit ip any any 

access-list outside_out extended permit ip any any 

pager lines 23

logging enable

logging timestamp

logging buffer-size 52428800

logging buffered debugging

logging trap debugging

logging facility 23

logging debug-trace

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (inside,outside) source static local ocal destination static remote remote no-proxy-arp route-lookup

access-group outside_in in interface outside

access-group outside_out out interface outside

access-group inside_in in interface inside

access-group inside_out out interface inside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL 

aaa authentication login-history

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set aes256-sha1 esp-aes-256 esp-sha-hmac 

crypto ipsec security-association pmtu-aging infinite

crypto map outside 1 match address vpn-acl

crypto map outside 1 set pfs 

crypto map outside 1 set peer %PUB2% 

crypto map outside 1 set ikev1 transform-set aes256-sha1

crypto map outside interface outside

crypto ca trustpool policy

 auto-import

crypto ikev1 policy 1

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 28800

telnet timeout 5

ssh stricthostkeycheck

ssh %IP_ADDR% 255.255.255.255 outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group14-sha1

console timeout 5

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username %USERNAME% password ***** pbkdf2

tunnel-group %PUB2%  type ipsec-l2l

tunnel-group %PUB2%  ipsec-attributes

 ikev1 pre-shared-key *****

!

!

prompt hostname context 

call-home

 profile License

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination transport-method http

Cryptochecksum:eba89603857917c74cbbe89e3b0cae96

: end

configuration look ok to me.

when you do a packet tracker after giving command can you show us the out of theses command

 

show crypto ikev1 sa   / show crypto isakmp sa

show crypto ipsec

!

also ask the other side to sent a packet to its interested ACL.

please do not forget to rate.

After PT command I see nothing in sh cry ikev1 sa.

But I see interesting things in logs:

Jan 30 2019 12:40:39: %ASA-7-609001: Built local-host inside:LOCAL_IP
Jan 30 2019 12:40:39: %ASA-7-609001: Built local-host outside:REMOTE_IP
Jan 30 2019 12:40:39: %ASA-7-609002: Teardown local-host inside:LOCAL_IP duration 0:00:00
Jan 30 2019 12:40:39: %ASA-7-609002: Teardown local-host outside:REMOTE_IPduration 0:00:00

Also, after attemtion from other side:

Jan 30 2019 12:44:29: %ASA-7-710005: UDP request discarded from PUB2/500 to outside:192.168.100.2/500

What does it mean? Nat-T is not working or ?

Fixed.

 

Need to be enabled ikev1.

 

crypto ikev1 enable outside

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: