Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
5
Helpful
2
Replies

Source PAT and L2L set up

Go to solution
Kn1ghtR1d3rOfD00m
Level 1
Level 1

‎11-30-2018 11:49 AM - edited ‎03-12-2019 05:32 AM

Hi, Im trying to set up a VPN site to site from a source subnet /24 to be translated (PAT) using a single public IP

so the local subnet can reach the destination subnet 

 

site B is not using PAT, instead, they are using static nat

 

the tunnel is up when I generate traffic from the source LAN, but I cannot ping to the other site

 

could you please help me to identify what could be the culprit cause surely Im missing something in my access list or NAT statement from the other end

 

Im going to put the config of the objects and access list cause the tunnel is up, so its irrelevant I think

 

SITE A config from ASA

 

object-group network PRIVATE-NETWORK
Description Local Networks
network-object 192.168.10.0 255.255.255.0
exit

!
object network VPN-PAT
host 203.0.113.30
exit
!
object-group network DESTINATION-NETWORK
Description  Destination NETWORKS
network-object 192.168.20.0 255.255.255.0

exit
!

-=======

nat (INSIDE,OUTSIDE) source dynamic PRIVATE-NETWORK VPN-PAT destination static DESTINATION-NETWORK DESTINATION-NETWORK

 

CRYPTO ACL ON ASA1:

 

access-list crypto-acl-lan1 extended permit ip object VPN-PAT object-group DESTINATION-NETWORK

 

ACCESS-LIST ON ASA1

access-list INSIDE_access_in_1 line 1 extended permit ip object-group PRIVATE-NETWORK object-group DESTINATION-NETWORK

 

============================================

 

SITE B:

 

object-group network LOCAL-DATA
Description  DATA Networks
network-object 192.168.20.0 255.255.255.0
exit

!
object network REMOTE-PUBLIC-PAT-IP
host 203.0.113.30
exit
!
object-group network DESTINATION_NETWORK
Description  Destination NETWORKS
network-object 192.168.10.0 255.255.255.0
exit
!

-=======

nat (INSIDE,OUTSIDE) source static LOCAL-DATA LOCAL-DATA destination static DESTINATION_NETWORK REMOTE-PUBLIC-PAT-IP

 

CRYPTO ACL ON SITE B:

 

access-list crypto-acl-lan extended permit ip object-group LOCAL-DATA object REMOTE-PUBLIC-PAT-IP

 

ACCESS-LIST ON SITE B:

 

access-list INSIDE_access_in_1 line 1 extended permit ip object-group LOCAL-DATA object-group DESTINATION_NETWORK

 

===============================================================

TUNNEL IS UP AS YOU CAN SEE on site A, same is true on site B

 

ASA1# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs
ASA1#

 

show crypto ipsec sa on site A as well as site B

 

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

 

SITE B:

 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

 

DEBUG ICMP ON ASA1

 

ICMP echo request translating INSIDE:192.168.20 to OUTSIDE:203.0.113.30
ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=6 len=32
ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30
ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=7 len=32
ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30
ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=8 len=32
ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30

 

PACKET TRACERT INPUT ON ASA 1 SITE A:

 

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

 

PACKET TRACERT INPUT ON SITE B:

Result:
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

ASA2#

 

could you please help me to tell me what is happening and if Im missing something on the access list or NAT on site B?

 

what would be the correct statement command

 

Regards, 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-30-2018 01:01 PM

Hi,
If you are natting from Site A to Site B then the configuration on Site B's ACL and NAT rule should be to the NATTED IP address of Site A, not the real IP address as you've defined in the DESTINATION_NETWORK object. Site B is receiving traffic from REMOTE-PUBLIC-PAT-IP object IP address, so reference that object instead.

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎11-30-2018 01:01 PM

Hi,
If you are natting from Site A to Site B then the configuration on Site B's ACL and NAT rule should be to the NATTED IP address of Site A, not the real IP address as you've defined in the DESTINATION_NETWORK object. Site B is receiving traffic from REMOTE-PUBLIC-PAT-IP object IP address, so reference that object instead.

HTH

Go to solution
Kn1ghtR1d3rOfD00m
Level 1
Level 1
In response to Rob Ingram

‎11-30-2018 01:59 PM

thank you thank you thank you :) 

 

it worked

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents