cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5013
Views
5
Helpful
13
Replies

IPSEC VPN - Outside interface is a Private IP

colin.painter
Level 1
Level 1

Hi All,

 

I'm sure there is a simple answer i am missing here, so hopefully I am enlightened quickly!

 

We have an Cisco ASA5516-X on site which the outside interface is a private IP on a /30. This goes to a router that pushes to a core network and straight to internet peerings which naturally the private range won't be able to get out. So for Internet access we then have a routed /28 of Public IP's pointing at our ASA, with our NAT Overload, PAT etc using these IP's for normal inside,outside NAT.

 

We need an IPSEC VPN configured to this firewall and I have set a one-to-one static NAT for the 'outside interface' private IP to one of these public IP's and configured the VPN via the ASDM. From the remote end if i ping the public IP, it replies just fine but the VPN will not establish and at the remote end, I don't even see in the logs the traffic reaching it to try to establish even phase one, so i'm suspecting that the VPN traffic is pushing out of the 'outside' interface on a private IP and not being NAT. Is there config I am missing to make this work please?

 

Config below <IP's removed>....

 

interface GigabitEthernet1/8
description WAN-1 | LeasedLine
nameif outside
security-level 0
ip address 10.10.254.170 255.255.255.252

 

object network OUTSIDE-INT
host 10.10.254.170
nat (outside,outside) static <public IP>

 

nat (inside,outside) source static <local subnet> <local subnet> destination static <remote subnet> <remote subnet> no-proxy-arp


access-list cryptomap_rules_1 extended permit ip object <local subnet> object <remote subnet>


crypto map outside_map1 1 match address cryptomap_rules_1
crypto map outside_map1 1 set peer <peer IP>
crypto map outside_map1 1 set ikev2 ipsec-proposal AES-256
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 interface outside


tunnel-group <peer IP> type ipsec-l2l
tunnel-group <peer IP> general-attributes
default-group-policy GroupPolicy1
tunnel-group <peer IP> ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

13 Replies 13

Hi,
If you can ping the peer but it won't attempt to establish a tunnel do you have an ACL or firewall in between that could be blocking traffic? As you are natting you will need udp/500 and udp/4500?

Do you control the other peer device? Can you enable ikev2 debugs on both ends and attempt to establish a tunnel, post the outputs here.

Hello,

 

There's nothing in the way to restrict the ports - on both ASA's its also ticked to bypass interface ACL's for inbound sessions.

One thing I have noticed with debugging on the local side, I am seeing the below message:

 

7Mar 06 201915:27:15710005<remote peer IP>500<local peer IP>500UDP request discarded from xx.xx.xx.xx/500 to leasedline:xx.xx.xx.xx/500

 

Not sure why or how to fix it though - ports are all open - i've tried adding additional rules just to make sure.

I don't mean necessarily mean ACLs restricting connectivity on the ASA themselves, I was referring to the routers in the path - do they have ACLs. Although you can define an ACL on the ASA and assign to the control plane, check the running config for "control-plane", if nothing defined you aren't restricting on the local ASAs.

Do you control the other device?
What about the debugs from the other ASA?
Can you provide the configuration for both devices

Double check the static nat on the router "show ip nat trans" and ensure it's definately natting from the expected IP address.

There 's no ACL's on path either, so no issue there.

I do control the other device, the remote device doesn't see a reply to it's VPN requests. It's config is below:

nat (any,any) source static <local subnet> <local subnet> destination static <remote subnet> <remote subnet> no-proxy-arp

access-list outside_cryptomap_1 extended permit ip object <local subnet> object <remote subnet>

crypto map outside_map3 1 match address outside_cryptomap_1
crypto map outside_map3 1 set peer <peer IP>
crypto map outside_map3 1 set ikev2 ipsec-proposal AES256
crypto map outside_map3 1 set ikev2 pre-shared-key *****
crypto map outside_map3 1 set security-association lifetime kilobytes unlimited
crypto map outside_map3 interface outside

tunnel-group <peer IP> type ipsec-l2l
tunnel-group <peer IP> general-attributes
default-group-policy GroupPolicy1
tunnel-group <peer IP> ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!

I am fairly sure the issue is with the local ASA and it's NAT rule... doing as you suggested and checking the NAT translations, as per below output, it untranslates (inbound) just fine but there are no translate hits (outbound) - which is why i think the local ASA is trying to initiate using its interface IP which is a private IP and isn't following this NAT rule...

[Hostname]# show nat trans <local public IP>

Auto NAT Policies (Section 2)
1 (any) to (any) source static <local private ip of outside interface> <local public ip assigned> no-proxy-arp
translate_hits = 0, untranslate_hits = 38

I was referring to the nat on the router not the ASA.

Seeing as you haven't established an IKE or IPSec SA the nat configuration on the either ASA would not be the issue.

Run a packet capture for udp/500 on the remote ASA and see if any communication and confirm the source IP address is actually correct.

 

Do you have actually have crypto ikev2 enable OUTSIDE configured?or whatever the outside interface name is

Do you have the full IKEv2 configuration defined?

Sorry maybe I didn't explain sufficiently in the OP. The routers do not do any NAT - essentially forget the router's exist.

The firewall has it's outside interface as a private IP. I had then configured a NAT rule on the firewall that NAT's the interface private IP to a public IP. The public IP is a routed subnet pointed at the private IP of the firewall, so is not a configured interface. This works for all inside,outside NAT but when sourcing from the firewall outside interface its self, I do not believe it is NAT'ing as per above rule, therefore the request isn't reaching the internet, to reach the remote peer IP. I'll look at setting up some capture further down the path to confirm this though.

Yes ikev2 is enabled on the 'outside' interface on both ends and full configuration. This IPSEC config worked previously until it was changed from the public IP's being physically applied to the 'outside' interface to being routed in. The change was to allow the public IP's to be available over different WAN links, depending on the active state. As above, all other traffic is working - it is only the VPN trying to establish to the device.

Does that make sense?

Ok, I understand what you trying to do....I've never personally tried that before.
Run a packet capture on the next hop router and confirm the source IP address, to determine if it's being natted and if it is actually attempting to even communicate.


@colin.painter wrote:
Sorry maybe I didn't explain sufficiently in the OP. The routers do not do any NAT - essentially forget the router's exist.

The firewall has it's outside interface as a private IP. I had then configured a NAT rule on the firewall that NAT's the interface private IP to a public IP. The public IP is a routed subnet pointed at the private IP of the firewall, so is not a configured interface. This works for all inside,outside NAT but when sourcing from the firewall outside interface its self, I do not believe it is NAT'ing as per above rule, therefore the request isn't reaching the internet, to reach the remote peer IP. I'll look at setting up some capture further down the path to confirm this though.

Yes ikev2 is enabled on the 'outside' interface on both ends and full configuration. This IPSEC config worked previously until it was changed from the public IP's being physically applied to the 'outside' interface to being routed in. The change was to allow the public IP's to be available over different WAN links, depending on the active state. As above, all other traffic is working - it is only the VPN trying to establish to the device.

Does that make sense?

Hi Colin.

I am also working on one of the similar requirement which needs to have IPSEC VPN over internet but the ASA instead has a private IP while a public LAN pool is pointed to ASA. Does this scenario worked for you to establish IPSEC VPN with the nat configured on the outside interface to a public LAN IP ? That way will save public IP to be allocated to the upstream edge device back to the ASA and will allow me to use private IP for transit.



 

Hi @anant.gaggar 

You can only establish a VPN to the ASA using it's physical IP address. If an upstream device (router) is NATTING the public IP address to the private IP address of the ASA's outside, that will work. What won't work is attempting to establish a tunnel to the ASA using a NAT defined on the ASA. ASA nat rules are for traffic through the ASA not to the ASA.

 

HTH


@Rob Ingram wrote:

Hi @anant.gaggar 

You can only establish a VPN to the ASA using it's physical IP address. If an upstream device (router) is NATTING the public IP address to the private IP address of the ASA's outside, that will work. What won't work is attempting to establish a tunnel to the ASA using a NAT defined on the ASA. ASA nat rules are for traffic through the ASA not to the ASA.

 

HTH


Thanks @Rob Ingram 

In my scenario, the upstream device is not doing the NAT by design. So as I understand this will not work on ASA even if we NAT on the ASA on its outside interface considering it is for traffic through the ASA and not to the ASA. Not even by changing this behaviour at control plane ? Not sure if thats possible.



Not sure I fully understand your last comment. Aren't you establishing a VPN tunnel to the ASA? Or NATTING to another device on the inside of the ASA.

 

 


@Rob Ingram wrote:

Not sure I fully understand your last comment. Aren't you establishing a VPN tunnel to the ASA? Or NATTING to another device on the inside of the ASA.

 


Hi @Rob Ingram 

I would want to establish VPN tunnel to the ASA only with NAT from ASA outside private to public IP.

No, you can only establish a VPN to the ASA using it's physical IP address assigned to the interface. So you cannot NAT on the ASA to it's own outside interface private IP address.