Hello,

 

There's nothing in the way to restrict the ports - on both ASA's its also ticked to bypass interface ACL's for inbound sessions.

One thing I have noticed with debugging on the local side, I am seeing the below message:

 

7

Mar 06 2019

15:27:15

710005

<remote peer IP>

500

<local peer IP>

500

UDP request discarded from xx.xx.xx.xx/500 to leasedline:xx.xx.xx.xx/500

 

Not sure why or how to fix it though - ports are all open - i've tried adding additional rules just to make sure.

I don't mean necessarily mean ACLs restricting connectivity on the ASA themselves, I was referring to the routers in the path - do they have ACLs. Although you can define an ACL on the ASA and assign to the control plane, check the running config for "control-plane", if nothing defined you aren't restricting on the local ASAs.

Do you control the other device?
What about the debugs from the other ASA?
Can you provide the configuration for both devices

Double check the static nat on the router "show ip nat trans" and ensure it's definately natting from the expected IP address.

There 's no ACL's on path either, so no issue there.

I do control the other device, the remote device doesn't see a reply to it's VPN requests. It's config is below:

nat (any,any) source static <local subnet> <local subnet> destination static <remote subnet> <remote subnet> no-proxy-arp

access-list outside_cryptomap_1 extended permit ip object <local subnet> object <remote subnet>

crypto map outside_map3 1 match address outside_cryptomap_1
crypto map outside_map3 1 set peer <peer IP>
crypto map outside_map3 1 set ikev2 ipsec-proposal AES256
crypto map outside_map3 1 set ikev2 pre-shared-key *****
crypto map outside_map3 1 set security-association lifetime kilobytes unlimited
crypto map outside_map3 interface outside

tunnel-group <peer IP> type ipsec-l2l
tunnel-group <peer IP> general-attributes
default-group-policy GroupPolicy1
tunnel-group <peer IP> ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!

I am fairly sure the issue is with the local ASA and it's NAT rule... doing as you suggested and checking the NAT translations, as per below output, it untranslates (inbound) just fine but there are no translate hits (outbound) - which is why i think the local ASA is trying to initiate using its interface IP which is a private IP and isn't following this NAT rule...

[Hostname]# show nat trans <local public IP>

Auto NAT Policies (Section 2)
1 (any) to (any) source static <local private ip of outside interface> <local public ip assigned> no-proxy-arp
translate_hits = 0, untranslate_hits = 38

I was referring to the nat on the router not the ASA.

Seeing as you haven't established an IKE or IPSec SA the nat configuration on the either ASA would not be the issue.

Run a packet capture for udp/500 on the remote ASA and see if any communication and confirm the source IP address is actually correct.

 

Do you have actually have crypto ikev2 enable OUTSIDE configured?or whatever the outside interface name is

Do you have the full IKEv2 configuration defined?

Sorry maybe I didn't explain sufficiently in the OP. The routers do not do any NAT - essentially forget the router's exist.

The firewall has it's outside interface as a private IP. I had then configured a NAT rule on the firewall that NAT's the interface private IP to a public IP. The public IP is a routed subnet pointed at the private IP of the firewall, so is not a configured interface. This works for all inside,outside NAT but when sourcing from the firewall outside interface its self, I do not believe it is NAT'ing as per above rule, therefore the request isn't reaching the internet, to reach the remote peer IP. I'll look at setting up some capture further down the path to confirm this though.

Yes ikev2 is enabled on the 'outside' interface on both ends and full configuration. This IPSEC config worked previously until it was changed from the public IP's being physically applied to the 'outside' interface to being routed in. The change was to allow the public IP's to be available over different WAN links, depending on the active state. As above, all other traffic is working - it is only the VPN trying to establish to the device.

Does that make sense?

Ok, I understand what you trying to do....I've never personally tried that before.
Run a packet capture on the next hop router and confirm the source IP address, to determine if it's being natted and if it is actually attempting to even communicate.

---

@colin.painter wrote:
Sorry maybe I didn't explain sufficiently in the OP. The routers do not do any NAT - essentially forget the router's exist.

The firewall has it's outside interface as a private IP. I had then configured a NAT rule on the firewall that NAT's the interface private IP to a public IP. The public IP is a routed subnet pointed at the private IP of the firewall, so is not a configured interface. This works for all inside,outside NAT but when sourcing from the firewall outside interface its self, I do not believe it is NAT'ing as per above rule, therefore the request isn't reaching the internet, to reach the remote peer IP. I'll look at setting up some capture further down the path to confirm this though.

Yes ikev2 is enabled on the 'outside' interface on both ends and full configuration. This IPSEC config worked previously until it was changed from the public IP's being physically applied to the 'outside' interface to being routed in. The change was to allow the public IP's to be available over different WAN links, depending on the active state. As above, all other traffic is working - it is only the VPN trying to establish to the device.

Does that make sense?

---

Hi Colin.

I am also working on one of the similar requirement which needs to have IPSEC VPN over internet but the ASA instead has a private IP while a public LAN pool is pointed to ASA. Does this scenario worked for you to establish IPSEC VPN with the nat configured on the outside interface to a public LAN IP ? That way will save public IP to be allocated to the upstream edge device back to the ASA and will allow me to use private IP for transit.

 

Hi @anant.gaggar 

You can only establish a VPN to the ASA using it's physical IP address. If an upstream device (router) is NATTING the public IP address to the private IP address of the ASA's outside, that will work. What won't work is attempting to establish a tunnel to the ASA using a NAT defined on the ASA. ASA nat rules are for traffic through the ASA not to the ASA.

 

HTH

---

@Rob Ingram wrote:

Hi @anant.gaggar 

You can only establish a VPN to the ASA using it's physical IP address. If an upstream device (router) is NATTING the public IP address to the private IP address of the ASA's outside, that will work. What won't work is attempting to establish a tunnel to the ASA using a NAT defined on the ASA. ASA nat rules are for traffic through the ASA not to the ASA.

 

HTH

---

Thanks @Rob Ingram 

In my scenario, the upstream device is not doing the NAT by design. So as I understand this will not work on ASA even if we NAT on the ASA on its outside interface considering it is for traffic through the ASA and not to the ASA. Not even by changing this behaviour at control plane ? Not sure if thats possible.

Not sure I fully understand your last comment. Aren't you establishing a VPN tunnel to the ASA? Or NATTING to another device on the inside of the ASA.

 

 

---

@Rob Ingram wrote:

Not sure I fully understand your last comment. Aren't you establishing a VPN tunnel to the ASA? Or NATTING to another device on the inside of the ASA.

 

---

Hi @Rob Ingram 

I would want to establish VPN tunnel to the ASA only with NAT from ASA outside private to public IP.

No, you can only establish a VPN to the ASA using it's physical IP address assigned to the interface. So you cannot NAT on the ASA to it's own outside interface private IP address.