12-04-2009 01:28 PM
OK, here is my setup:
ASA 5505 - 192.168.3.1
PIX 501 - 192.168.1.1
PIX 501 - 192.168.1.2
The ASA and the first pix device (192.168.1.1) are connected via site-to-site VPN on the ASA side and the connection works great. I can access hosts in either direction from either network.
I'm attempting to add the second pix device to the ASA's site-to-site configuration, but it's not working. I suspect it's because the devices are on the same subnet, but I'm hoing to find a workaround.
When I have both PIX devices setup for site-to-site on the ASA, the VPN works only for the connection that has the highest priority. The device with the lower priority can only ping the 192.168.3.1 network, but full network connections fail.
Is it possible to do this without changing the subnet on the second PIX?
12-04-2009 04:38 PM
You should be able to implement Policy NAT on the 2nd Pix 501 to accomplish what it is you're trying to do.
Policy NAT Access List:
access-list policy-nat-acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
Static NAT:
static (inside,outside) 172.16.1.0 access-list policy-nat-acl
*Make sure the above static statement is above any other 1 to 1 statics statements, you may have to remove and add them back to make this happen*
Modify your encryption domain on the Pix:
access-list 200 extended permit ip 172.16.1.0 255.255.255.0 192.168.3.0 255.255.255.0
Modify the encryption domain on the ASA:
access-list 200 extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
There will be a one-to-one mapping for clients behind this Pix 501. If Server A behind the Pix @ 192.168.1.2 generates traffic to 192.168.3.2 behind the ASA, it will appear to that client as 172.16.1.2. Clients behind the ASA will need to use the 172.16.1.x addresses to contact clients behind that Pix 501. If you're hairpinning the VPNs on the ASA you'll use 172.16.1.0/24 in all of the no-nat ACL's and encryption domains to represent that new Pix.
Hope this helps!
James
01-21-2013 12:42 PM
Hi,
I have tried doing this on the ASA v8.4, however it doesn't seem to work. Are you able to help me translate this scenario to the new way of NAT'ing?
Ash
01-21-2013 01:27 PM
Hi Ashley,
Using the networks from the previous example, this 8.3+ configuration should work for you:
object-group network LOCAL_NETWORK
network-object 192.168.1.0 255.255.255.0
object-group network REMOTE_NETWORK
network-object 192.168.3.0 255.255.255.0
object-group network NAT_NETWORK
network-object 172.16.1.0 255.255.255.0
static (inside,outside) source static LOCAL_NETWORK NAT_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
In the example above, there are actually two NAT's occurring - a source NAT and a destination NAT. We are simply performing an identity NAT on the destination (REMOTE_NETWORK), since that doesn't need to change.
8.3+ offers more flexibility with NAT, to the point where you could even perform source/destination NAT in the same statement within a hub-and-spoke VPN configuration.
Hope that helps. Let me know if you have any other questions.
James
01-22-2013 02:01 AM
01-22-2013 02:14 AM
You mean the same segment on a public site? On interfaces facing ASA?
If you have separate tunnel groups for each pix on the ASA properly configured, i don't think it matters wether they (pixes) on one subned or different.
01-22-2013 05:23 AM
Hi Ashley,
In the example I posted, your encryption domain would need to look like this on the local 8.4 firewall performing Policy NAT:
access-list LOCAL_ENC_DOM extended permit ip object-group NAT_NETWORK object-group REMOTE_NETWORK
or written out:
access-list LOCAL_ ENC_DOMAIN extended permit ip 172.16.1.0 255.255.255.0 192.168.3.0 255.255.255.0
The *remote* side would use the NAT'd network in its encryption domain as well:
access-list REMOTE_ENC_DOMAIN extended permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
If you post your configs I'd be happy to take a look.
James
01-23-2013 12:10 PM
Configs attached. From what I can see in your example above, I have done the ACLs wrong
01-23-2013 12:12 PM
Hi Ashley - I'm unable to see the attached configs. You're welcome to copy/paste as well.
James
01-23-2013 12:16 PM
Site1:
Site1
ASA Version 8.4(2)
!
hostname site1-fw1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network INTERNAL
subnet 192.168.1.0 255.255.255.0
object network VPN-NAT
subnet 192.168.101.0 255.255.255.0
object network REMOTE-SITE
subnet 192.168.102.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list STATIC-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INTERNAL VPN-NAT destination static REMOTE-SITE REMOTE-SITE
!
object network INTERNAL
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP_AES esp-aes esp-sha-hmac
crypto map VPNMAP 1 match address CRYPTO_ACL
crypto map VPNMAP 1 set pfs group5
crypto map VPNMAP 1 set peer x.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set ESP_AES
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
01-23-2013 12:16 PM
Site2
ASA Version 8.4(2)
!
hostname site2-fw1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network INTERNAL
subnet 192.168.1.0 255.255.255.0
object network VPN-NAT
subnet 192.168.102.0 255.255.255.0
object network REMOTE-SITE
subnet 192.168.101.0 255.255.255.0
access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE
access-list OUTSIDE_IN extended permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INTERNAL VPN-NAT destination static REMOTE-SITE REMOTE-SITE
!
object network INTERNAL
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
crypto ipsec ikev1 transform-set ESP_AES esp-aes esp-sha-hmac
crypto map VPNMAP 1 match address CRYPTO_ACL
crypto map VPNMAP 1 set pfs group5
crypto map VPNMAP 1 set peer 81.137.191.105
crypto map VPNMAP 1 set ikev1 transform-set ESP_AES
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
01-23-2013 12:16 PM
Thanks for helping out
01-23-2013 12:26 PM
Hi Ashley -
Your nat config looks OK at a quick glance. I incorrectly used the 'static' keyword in my example, but you corrected it by using 'nat' instead.
The problem you're likely experiencing is that your encryption domains are now wrong. The nat will happen prior to the crypto match, so you'll want to edit the following ACLs:
FW1/FW2:
-before-
access-list CRYPTO_ACL extended permit ip object INTERNAL object REMOTE-SITE
-after-
access-list CRYPTO_ACL extended permit ip object VPN-NAT object REMOTE-SITE
Give that a shot and let me know if you continue to have problems.
James
01-23-2013 12:27 PM
BTW - Your attachments *did* show up, but against an earlier post, so I didn't see them! Thanks for the copy/paste.
01-23-2013 12:28 PM
Yep tried that and still not getting the tunnels up.
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static INTERNAL VPN-NAT destination static REMOTE-SITE REMOTE-SITE
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic INTERNAL interface
translate_hits = 0, untranslate_hits = 0
NAT output and ISAKMP status below:
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide