Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
0
Helpful
3
Replies

NAT Does Not Appear to Be Working with ASA 8.4(2)

mhaskett74
Level 1
Level 1

‎08-11-2011 03:31 PM

I've recently been tasked with providing access to several internal servers to a remote site via one of our ASAs.  In order to keep things simple, I have begun by creating a single static NAT rule for one of the servers.  The Site-to-Site VPN connection profile was then created and testing has begun.  Unfortunately it looks as though the NAT rule isn't working.  As I monitor the tunnel, I still see our internal number being broadcasted and not the mapped address, which prevents the tunnel from being established.  The remote site has verified that this is what they are seeing too.

Appliance:

ASA 5510

ASA 8.4(2)

ASDM 6.4(5)

Address Legend:

(Note: The following addresses are not actual addresses.)

188.0.0.69 = Remote site peer address

188.1.1.69 = Remote site computer

20.0.0.106 = Internal computer real address

20.1.0.106 = Mapped address

99.0.0.100 = Our peer address

NAT Rule:

object network 20.0.0.106

nat (Inside,Outside) static 20.1.0.106 service tcp 204 204

Log Sample:

5|Aug 11 2011|16:30:48|713041|||||IP = 188.0.0.69, IKE Initiator: New Phase 1, Intf Inside, IKE Peer
188.0.0.69  local Proxy Address 20.0.0.106, remote Proxy Address 188.1.1.69,  Crypto map (Outside_map)


6|Aug 11 2011|16:30:48|302015|99.0.0.100|500|188.0.0.69|500|Built outbound UDP connection 989639 for
Outside:188.0.0.69/500 (188.0.0.69/500) to identity:99.0.0.100/500 (99.0.0.100/500)


6|Aug 11 2011|16:30:49|713172|||||Group = 188.0.0.69, IP = 188.0.0.69, Automatic NAT Detection Status:    
Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device


6|Aug 11 2011|16:30:49|113009|||||AAA retrieved default group policy (Remote_Site_Policy) for user = 188.0.0.69


5|Aug 11 2011|16:30:49|713119|||||Group = 188.0.0.69, IP = 188.0.0.69, PHASE 1 COMPLETED


5|Aug 11 2011|16:30:49|713068|||||Group = 188.0.0.69, IP = 188.0.0.69, Received non-routine Notify
message: Invalid ID info (18)


5|Aug 11 2011|16:30:49|713050|||||Group = 188.0.0.69, IP = 188.0.0.69, Connection terminated for peer
188.0.0.69.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0


3|Aug 11 2011|16:30:49|713902|||||Group = 188.0.0.69, IP = 188.0.0.69, Removing peer from correlator
table failed, no match!


5|Aug 11 2011|16:30:49|713259|||||Group = 188.0.0.69, IP = 188.0.0.69, Session is being torn down.
Reason: User Requested


4|Aug 11 2011|16:30:49|113019|||||Group = 188.0.0.69, Username = 188.0.0.69, IP = 188.0.0.69,
Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0,
Reason: User Requested

5|Aug 11 2011|16:30:48|713041|||||IP = 188.0.0.69, IKE Initiator: New Phase 1, Intf Inside, IKE Peer
188.0.0.69  local Proxy Address 20.0.0.106, remote Proxy Address 20.1.0.106,  Crypto map (Outside_map)


6|Aug 11 2011|16:30:48|302015|99.0.0.100|500|188.0.0.69|500|Built outbound UDP connection 989639 for
Outside:188.0.0.69/500 (188.0.0.69/500) to identity:99.0.0.100/500 (99.0.0.100/500)


6|Aug 11 2011|16:30:49|713172|||||Group = 188.0.0.69, IP = 188.0.0.69, Automatic NAT Detection Status:    
Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device


6|Aug 11 2011|16:30:49|113009|||||AAA retrieved default group policy (Remote_Site_Policy) for user = 188.0.0.69


5|Aug 11 2011|16:30:49|713119|||||Group = 188.0.0.69, IP = 188.0.0.69, PHASE 1 COMPLETED


5|Aug 11 2011|16:30:49|713068|||||Group = 188.0.0.69, IP = 188.0.0.69, Received non-routine Notify
message: Invalid ID info (18)


5|Aug 11 2011|16:30:49|713050|||||Group = 188.0.0.69, IP = 188.0.0.69, Connection terminated for peer
188.0.0.69.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0


3|Aug 11 2011|16:30:49|713902|||||Group = 188.0.0.69, IP = 188.0.0.69, Removing peer from correlator
table failed, no match!


5|Aug 11 2011|16:30:49|713259|||||Group = 188.0.0.69, IP = 188.0.0.69, Session is being torn down.
Reason: User Requested


4|Aug 11 2011|16:30:49|113019|||||Group = 188.0.0.69, Username = 188.0.0.69, IP = 188.0.0.69,
Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0,
Reason: User Requested

What am I doing wrong?

Thank you for your assistance in this matter.

Labels:
0 Helpful
3 Replies 3

Loren Kolnes
Cisco Employee
Cisco Employee

‎08-11-2011 06:03 PM

Hi Michael,

This does not appear to be related to nat, looks like an IPSec issue.

Can you provide a santized crypto configuration from each side of the tunnel, please include the show output for the crypto access-list as well.

Thanks,

Loren

0 Helpful

mhaskett74
Level 1
Level 1
In response to Loren Kolnes

‎08-12-2011 11:00 AM

Thank you for your reply Loren.  Unfortunately I don't currently have access to the remote side's crypto configuration, since they are an external entity.  However, I can check in and see if I can get that info.

Hopefully this is the information that you requested:

access-list Outside_27_cryptomap extended permit tcp object 20.0.0.106 object Remote_Server object-group RemoteSite

Result of the command: "sh access-list Outside_27_cryptomap"

access-list Outside_27_cryptomap; 1 elements; name hash: 0x3a48e673

access-list Outside_27_cryptomap line 1 extended permit tcp object 20.0.0.106 object Remote_Server object-group RemoteSite (hitcnt=36) 0xce74f220

  access-list Outside_27_cryptomap line 1 extended permit tcp host 20.0.0.106 host 188.1.1.69 eq 204 (hitcnt=36) 0xdd218de0

Again, thank you for your help.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to mhaskett74

‎08-24-2011 01:52 PM

Hi Mike,

Is the above crypto ACL on your end or the remote end? The cryptoACL on your end should be like this:

access-list ACL1 permit ip host 20.1.0.106  host 188.1.1.69

The one on the remote end should the opposite of the above:

access-list ACL2 permit ip host 188.1.1.69 host 20.1.0.106

Hope this helps!

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents