01-21-2022 12:39 AM
Hello Cisco Community:
I have the following issue which is making me feel really frustrated.
I need to have a S2S VPN tunnel up and running between to FWs.
One side is a 5525 and the other is a 5505
Since i do not have access to the CLI on the 5505 (the one that, as far as i can see, it's presenting some issues) i will have to manually explain:
Tunnel is able to establish.
5525 have the following networks: 33.0/24 , 34.0/24 and 35.0/24
5505 have the following networks: 90.0/24 and 80.0/24
Once the tunnel is established, i can see that, from the 5505 side, i can RX packets from the network 33.0/24 but i cannot TX packets from network 90.0/24
Basically, when i go to ASDM, i can see how the RX counter keeps going up but TX is zero.
I've been trying and trying to see whats going on and i am really confused about the NAT rules i should set up.
If the scenario is this, what would be the basic configuration you guys would try? I have access to both ASA's ASDM managers but no CLI access. that's why i cannot copy/paste any output.
As i mentioned before, ASA 5505 hosts network 90.0/24 and 80.0/24, when people in the office are working, i can see TX and RX only from network 80.0/24 to network 33.0/24 and 35.0/24, but no normal traffic between 90.0/24 and the network ranges on the 5525.
Can anyone please help me? And sorry if this post is not too technical, i really don't know how much more i can explain since i cannot access the CLI and show the config
Thank you
Solved! Go to Solution.
01-21-2022 01:37 PM - edited 01-21-2022 01:39 PM
@AJPujol isn't this nat rule incorrect?
nat (outside,inside-90) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
shouldn't the source be inside-90 and destination outside? As red-80 and red-90 networks are local
nat (inside-90,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
That probably explain the asymetric nat error
FYI, this rule is an NAT exemption rule.
01-21-2022 02:02 PM
nat (inside-80,outside) source static Red-80 Red-80 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
01-21-2022 03:58 AM
- No cli-access is definitely a disadvantage in troubleshooting and testing, checkout : https://www.youtube.com/watch?v=lGbsQJOxjsI which at some point also uses CLI
M.
01-21-2022 04:04 AM
01-21-2022 01:10 PM
Thank you so much for the information! It seems that, whether i like it or not, the 4 hosts on the 90.0/24 that were not responding , were specific asterisks that "suddenly" started to inject TX ...
This scenario does not make me happy since now the VPN tunnel has no NAT exception, still, it "works"
While being logged on a 33.0/24 host, i try to ping a 90.0/24 hosts and it say something about asymmetric NAT rules matched.... (which i cannot see an ICMP response) but i guess i should ask that question on another post on a new topic ?
Thank you again!
01-21-2022 01:20 PM
@AJPujol something about asymmetric nat...would indicte you need to nat exempt traffic, because traffic is being translated!!
Run packet-tracer from the cli to simulate traffic and provide the output for review.
01-21-2022 01:42 PM
Rob, thank you so much! I will now run the packet-tracer command from the CORE FW and paste it here.
If i go to the monitor logging on ASDM (from the OFFICE side) i can see that asymmetric NAT rule issue
01-21-2022 01:30 PM
And FINALLY, this is the sh run output
Result of the command: "show running-config"
: Saved
:
: Serial Number: JMX190540J6
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname FW-HOSTNAME
enable password kwn0Q1zI.A6CxRDI encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 83,87-89
switchport mode trunk
shutdown
!
interface Ethernet0/2
!
interface Ethernet0/3
description INSIDE-OFFICE
switchport trunk allowed vlan 1,80,90
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 80
!
interface Ethernet0/5
switchport access vlan 90
switchport trunk allowed vlan 80,90
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.79.1 255.255.255.0
!
interface Vlan2
description Internet-Office
nameif outside
security-level 0
ip address 190.210.195.241 255.255.255.252
!
interface Vlan80
description ALL
nameif inside-80
security-level 100
ip address 192.168.80.1 255.255.255.0
!
interface Vlan83
description Devs
nameif inside-83
security-level 100
ip address 192.168.83.1 255.255.255.0
!
interface Vlan87
description CCR
nameif inside-87
security-level 100
ip address 192.168.87.1 255.255.255.0
!
interface Vlan88
description QA
nameif inside-88
security-level 100
ip address 192.168.88.1 255.255.255.0
!
interface Vlan89
description Guest
nameif inside-89
security-level 100
ip address 192.168.89.1 255.255.255.0
!
interface Vlan90
description INFRA
nameif inside-90
security-level 100
ip address 192.168.90.1 255.255.255.0
!
ftp mode passive
clock timezone ART -3
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network FW-CORE
host 192.168.9.125
object network Red-20
subnet 192.168.20.0 255.255.255.0
object network Red-33
subnet 192.168.33.0 255.255.255.0
object network Red-34
subnet 192.168.34.0 255.255.255.0
object network Red-35
subnet 192.168.35.0 255.255.255.0
object network Red-9
subnet 192.168.9.0 255.255.255.0
object network PUBLICA-FW-CORE
host 200.XXX.XXX.XXX
object network Red-80
subnet 192.168.80.0 255.255.255.0
object network Red-90
subnet 192.168.90.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_1
network-object object Red-80
network-object object Red-90
object-group network DM_INLINE_NETWORK_2
network-object object Red-33
network-object object Red-34
network-object object Red-35
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list outside_access_in extended permit ip any any
access-list inside-90_access_in extended permit ip any any
access-list inside-90_access_in extended permit ip object Red-90 any
access-list inside-80_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside-80 1500
mtu inside-83 1500
mtu inside-87 1500
mtu inside-88 1500
mtu inside-89 1500
mtu inside-90 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside-90) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (outside,inside-90) after-auto source static any any unidirectional no-proxy-arp
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group inside-80_access_in in interface inside-80
access-group inside-90_access_in in interface inside-90
route outside 0.0.0.0 0.0.0.0 190.XXX.XXXX.XXX 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.79.0 255.255.255.0 inside
http 192.168.35.37 255.255.255.255 inside
http 192.168.12.0 255.255.255.0 inside
http 192.168.90.0 255.255.255.0 inside-90
http 192.168.80.0 255.255.255.0 inside-80
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 200.XXX.XXX.XXX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside
crypto ikev2 enable outside
crypto ikev2 enable inside-80
crypto ikev2 enable inside-90
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside-80
crypto ikev1 enable inside-90
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash md5
group 1
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.12.0 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.79.5-192.168.79.6 inside
!
dhcpd address 192.168.80.100-192.168.80.200 inside-80
dhcpd dns 8.8.8.8 interface inside-80
dhcpd enable inside-80
!
dhcpd address 192.168.83.100-192.168.83.200 inside-83
dhcpd enable inside-83
!
dhcpd address 192.168.87.100-192.168.87.200 inside-87
dhcpd enable inside-87
!
dhcpd address 192.168.88.100-192.168.88.200 inside-88
dhcpd enable inside-88
!
dhcpd address 192.168.89.60-192.168.89.200 inside-89
dhcpd enable inside-89
!
dhcpd address 192.168.90.100-192.168.90.149 inside-90
dhcpd dns 8.8.8.8 interface inside-90
dhcpd enable inside-90
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy GroupPolicy_200.XXX.XXX.XXX internal
group-policy GroupPolicy_200.XXX.XXX.XXX attributes
vpn-tunnel-protocol ikev1 ikev2
username ROOT-USERNAME password xxXXxxxxXXxxXX encrypted privilege 15
username SU-ROOT-USERNAME password xxXXxxxxXXxxXX encrypted privilege 15
tunnel-group 200.xxx.xxx.xxx type ipsec-l2l
tunnel-group 200.xxx.xxx.xxx general-attributes
default-group-policy GroupPolicy_200.xxx.xxx.xxx
tunnel-group 200.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key xxxxx
ikev2 remote-authentication pre-shared-key xxxxx
ikev2 local-authentication pre-shared-key xxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum: xxXXXxxxxXXXxxxxxXX
: end
01-21-2022 01:37 PM - edited 01-21-2022 01:39 PM
@AJPujol isn't this nat rule incorrect?
nat (outside,inside-90) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
shouldn't the source be inside-90 and destination outside? As red-80 and red-90 networks are local
nat (inside-90,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
That probably explain the asymetric nat error
FYI, this rule is an NAT exemption rule.
01-21-2022 01:58 PM
Rob! Thank you so much! I can now ping the 4 hosts on network-90! Is there a way for me to ping hosts on network-80 as well ? That would be the ONLY thing left for me to be happy and make my boss happy
01-21-2022 02:02 PM
nat (inside-80,outside) source static Red-80 Red-80 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide