Solved: Site-to-Site VPN with nat

Dmitry Samko · ‎07-01-2011

Greetings!

Dear colleagues, please help me to make correct configuration of crypto map. I need to make l2l IPSec on cisco ASA but I don't know how to specify interesting traffic.

Site A has IP address 172.24.4.4

Site B has IP address 10.0.129.184

To access Site A from site B through the tunnel, 172.24.4.4 should be nated to 172.18.9.23 on site A.

This is my configuration on ASA 8.4:

object network Real_SiteA_Source

host 172.24.4.4

object network Mapped_SiteA_Source

host 172.18.9.23

object network Real_SiteB_Destination

host 10.0.129.184

nat (INSIDE,OUTSIDE) source static Real_SiteA_Source Mapped_SiteA_Source destination static Real_SiteB_Destination Real_SiteB_Destination

access-list TUNNEL_VPN extended permit ip object Mapped_SiteA_Source object Real_SiteB_Destination

crypto map Cl_map_out 150 match address TUNNEL_VPN

crypto map Cl_map_out 150 set pfs

crypto map Cl_map_out 150 set peer XXX.XXX.XXX.XXX

crypto map Cl_map_out 150 set ikev1 transform-set ESP-AES-SHA

crypto map Cl_map_out 150 set security-association lifetime seconds 3600

access-list Inside extended permit tcp object Real_SiteA_Source eq http object Real_SiteB_Destination

Am I correct? What should I specify in TUNNEL_VPN access-list as interesting traffic? Is interface (Inside) access list correct? Is nat statesmetn correct?

Thank you very match!

access-list Inside extended permit tcp object Real_MTC_Afon_Source eq ftp object Real_MTC_Afon_Destination

Jennifer Halim · ‎07-08-2011

The NAT as well as the VPN crypto ACL is correct.

The inside ACL should be as follows:

access-list Inside extended permit tcp object Real_SiteA_Source object Real_SiteB_Destination eq http

"eq http" should be the destination port, not the source port.

View solution in original post

andrew.prince · ‎07-01-2011

you also need a no-nat acl, to deny this specific traffic from being re-natted as it leaves the outside interface, the below should get you thinking in the direction you need to go:-

access-list AtoB extended permit ip host 172.24.4.4 host 10.0.129.184

access-list AtoB_VPN extended permit ip host 172.18.9.23 host 10.0.129.184

access-list no-nat extended permit ip host 172.18.9.23 host 10.0.129.184

nat (inside) 0 access-list no-nat

static (inside,outside) 172.18.9.23 access-list AtoB

crypto map Cl_map_out 150 match address AtoB_VPN

Dmitry Samko · ‎07-08-2011

Has anyone have working 8.4 configs for such kind of case?

Thank you!

Jennifer Halim · ‎07-08-2011

The NAT as well as the VPN crypto ACL is correct.

The inside ACL should be as follows:

access-list Inside extended permit tcp object Real_SiteA_Source object Real_SiteB_Destination eq http

"eq http" should be the destination port, not the source port.

Dmitry Samko · ‎07-08-2011

Jennifer, thank you, I've missed in input ACL. Please, look pon capture output. Semms problem is in VPN. How can I troubleshoot it. Crypto sec isakmp is empty for that peer.

# sh capture XXX trace

2 packets captured

1: 14:11:44.837893 172.24.4.4.4540 > 10.0.129.184.21: S 4089479741:4089479741(0) win 65535

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Inside in interface INSIDE

access-list Inside extended permit tcp object Real_SiteA_Source object Real_SiteB_Destination eq http

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

service-policy global_policy global

Additional Information:

Phase: 7

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static Real_SiteA_Source Mapped_SiteA_Source destination static Real_SiteB_Destination Real_SiteB_Destination

Additional Information:

Static translate 172.24.4.4/4540 to 172.18.9.23/4540

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jennifer Halim · ‎07-08-2011

Please kindly check if the VPN tunnel itself is UP or not.

Please share the output of:

show cry isa sa

show cry ipsec sa

Please also check if the crypto ACL is mirror image ACL on the other side, and they have also created the correct NAT/NAT exemption.

If the "show" output above is empty, then please run the following debug when trying to send traffic across the VPN tunnel:

debug cry isa

debug cry ipsec

Jennifer Halim · ‎07-08-2011

Also, I didn't see the following but i assume that you have applied it to the outside interface:

crypto map Cl_map_out interface OUTSIDE

Dmitry Samko · ‎07-08-2011

Jennifer Halim написал(а):

Also, I didn't see the following but i assume that you have applied it to the outside interface:

crypto map Cl_map_out interface OUTSIDE

Your assumption is correct dear Jennifer. SA is not formed, so

debug crypto ikev1 shows the following:

......

Jul 08 16:29:46 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, IKE Initiator sending 1st QM pkt: msg id = 0648f216

Jul 08 16:29:46 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=648f216) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 328

Jul 08 16:29:46 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=a9aaa474) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jul 08 16:29:46 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload

Jul 08 16:29:46 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload

Jul 08 16:29:46 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Received non-routine Notify message: No proposal chosen (14)

Jul 08 16:29:46 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=5797f377) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Jul 08 16:29:46 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload

Jul 08 16:29:46 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing delete

Jul 08 16:29:46 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0

X.X.X.X

Jennifer Halim · ‎07-10-2011

You might want to check the configuration on the remote VPN peer. It seems that the crypto ACL might not have been mirror image, that's why it's not forming any SA.