Solved: Disable NAT for VPN site to site

Houari DALI YOUCEF · ‎04-21-2012

Hi everybody,

I work in a company, and we had to make a site to site VPN.

Everything is working good, except that packets sent from my site are NATed, in other words: the firewall of the other site (site_B) see only the IP address of my firewall (Site_A).

I tried to resolve the problem but no success,I think that the Nating of the VPN's packets is the problem.

Here is my current running config:

ASA Version 8.3(2)

!

hostname ciscoasa

enable password 9U./y4ITpJEJ8f.V encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.67.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 41.220.X.Y 255.255.255.252 (External WAN public IP Address)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CET 1

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network 41.220.X1.Y1

host 41.220.X1.Y1

object network NETWORK_OBJ_192.168.67.0_24

subnet 192.168.67.0 255.255.255.0

object network NETWORK_OBJ_172.19.32.0_19

subnet 172.19.32.0 255.255.224.0

object network 194.2.176.18

host 194.2.XX.YY (External IP address public of the other site (Site_B))

description 194.2.XX.YY

access-list inside_access_in extended permit ip any any log warnings

access-list inside_access_in extended permit ip object NETWORK_OBJ_172.19.32.0_19 object NETWORK_OBJ_192.168.67.0_24 log debugging

access-list inside_access_in extended permit ip object 194.2.176.18 any log debugging

access-list inside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_1_cryptomap extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging

access-list outside_1_cryptomap extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list 1111 standard permit 172.19.32.0 255.255.224.0

access-list 1111 standard permit 192.168.67.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 172.19.32.0 255.255.224.0 any log debugging

access-list outside_1_cryptomap_1 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_1_cryptomap_2 extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0 log debugging

access-list outside_1_cryptomap_2 extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list outside_access_in extended permit ip any any log warnings

access-list outside_access_in extended permit ip object 194.2.XX.YY any log debugging

access-list outside_access_in extended permit ip any object NETWORK_OBJ_172.19.32.0_19 log debugging

access-list nonat extended permit ip 192.168.67.0 255.255.255.0 176.19.32.0 255.255.224.0

access-list nonat extended permit ip 192.168.67.0 255.255.255.0 172.19.32.0 255.255.224.0

pager lines 24

logging enable

logging monitor informational

logging asdm warnings

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 41.220.X.Y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.67.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap_2

crypto map outside_map 1 set peer 194.2.XX.YY

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet 192.168.67.200 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username bel_md password HSiYQZRzgeT8u.ml encrypted privilege 15

username nebia_said password qQ6OoFJ5IJa6sgLi encrypted privilege 15

tunnel-group 194.2.XX.YY type ipsec-l2l

tunnel-group 194.2.XX.YY ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:0398876429c949a766f7de4fb3e2037e

: end

If you need another informations or explanation, just ask me.

My Firewall Model: ASA 5505.

Thanks you for help.

Mohammad Abazeed · ‎04-21-2012

Hey Houari,

I am suspecting something with the order of your NATing statment which is:

nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

Can you please have this change applied on the ASA:

no nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

nat (inside,outside) 1 source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

Try and let me know how it goes.

If it didn't help, please put the output form a packet-tracer going form your internal network to the remote VPN subnet along with the output from "show nat detail".

HTH,

Mo.

View solution in original post

Mohammad Abazeed · ‎04-21-2012

Hey Houari,

I am suspecting something with the order of your NATing statment which is:

nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

Can you please have this change applied on the ASA:

no nat (inside,outside) source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

nat (inside,outside) 1 source static NETWORK_OBJ_192.168.67.0_24 NETWORK_OBJ_192.168.67.0_24 destination static NETWORK_OBJ_172.19.32.0_19 NETWORK_OBJ_172.19.32.0_19

Try and let me know how it goes.

If it didn't help, please put the output form a packet-tracer going form your internal network to the remote VPN subnet along with the output from "show nat detail".

HTH,

Mo.

Houari DALI YOUCEF · ‎04-21-2012

Thank you Mohamad for your response.

I'll do it tomorrow at work (it's 21:20 now)

Thank you.

Houari DALI YOUCEF · ‎04-22-2012

Hi,

I did the commands on my asa, and the result of the packet tracer:

It seems to be ok ?

I didn't make test with the other site (Site_B), tomorrow i will continue the test with Site_B's IT

Thanks.

Houari DALI YOUCEF · ‎04-23-2012

Thank you Mohammad Abazeed, that solved my problem.

I just tested with the site_b's IT.

Once more time, thank you

Mohammad Abazeed · ‎04-23-2012

Good to know .. and you are welcome.