Solved: Twice NAT across Site to Site tunnel with same private networks.

Mike Bowers · ‎03-31-2013

Hello,

I'm currently trying to configure a Site to Site tunnel between an IOS Router and an ASA 5505 running 9.1

When the private subnet of the IOS Router was 10.0.0.0/24 and the private subnet of the ASA was 172.16.1.0/24, it connected fine.

I'm now trying to set it up where both private networks are 10.0.0.0/24, and created network objects, edited the ACL for interesting traffic, and created the twice NAT translation rule, but the tunnels aren't coming up. I was hoping someone could shed some light on where I'm going wrong.

There is the IOS Router(R1) and the ASA(F2). In between them is one Internet posing router that is just set up to allow both sides to reach their WAN addresses.

R1 and F2 have private network (10.0.0.0/24) and need to communicate. Twice NAT can be done all on the ASA to allow this, but I must be doing something wrong. The way I understand it, is that the R1 should see the traffic coming from 10.51.0.0/24 and sending to that traffic. The ASA will take that traffic, and the inside network should see it come inbound as 10.50.0.0/24. So the F2 private network communicates with 10.50.0.0/24 and R1 private network sends traffic to 10.51.0.0/24.

I turned on "Debug crypto ipsec" and "debug crypto isakmp" but no output is showing up or giving any hint that it is trying to establish anything.

Any help would be greatly appreciated! Thanks!

R1#show run

version 12.4

hostname R1

crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.2.0.254

crypto ipsec transform-set L2L_SET esp-3des esp-sha-hmac

crypto map CRYPTO 50 ipsec-isakmp
set peer 10.2.0.254
set transform-set L2L_SET
match address CRYPTO

interface FastEthernet0/0
ip address 10.0.0.253 255.255.255.0
ip nat inside
ip virtual-reassembly
ip ospf authentication message-digest
ip ospf authentication-key cisco
duplex auto
speed auto

interface FastEthernet0/1
ip address 10.1.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
ip ospf authentication message-digest
ip ospf authentication-key cisco
duplex auto
speed auto
crypto map CRYPTO

ip classless
ip route 0.0.0.0 0.0.0.0 10.1.0.253
ip route 10.2.0.0 255.255.255.0 10.1.0.253
!
!
ip http server
no ip http secure-server
ip nat inside source list NONAT interface FastEthernet0/1 overload
!
ip access-list extended CRYPTO
permit ip 10.0.0.0 0.0.0.255 10.51.0.0 0.0.0.255
ip access-list extended NONAT
deny ip 10.0.0.0 0.0.0.255 10.51.0.0 0.0.0.255
permit ip any any

=========================================================================

F2# show run
: Saved
:
ASA Version 9.1(1)
!
hostname F2
enable password 3a57ZsZ4Kgc.ZsL0 encrypted
passwd 3a57ZsZ4Kgc.ZsL0 encrypted
names

interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.2.0.254 255.255.255.0

object network PRIVATE
subnet 10.0.0.0 255.255.255.0

object network PARTNER_PRIVATE
subnet 10.0.0.0 255.255.255.0
object network PARTNER_VPN_INBOUND
subnet 10.50.0.0 255.255.255.0
object network PARTNER_VPN_OUTBOUND
subnet 10.51.0.0 255.255.255.0

access-list OUTSIDE_IN extended permit ip any any
access-list CRYPTO extended permit ip 10.0.0.0 255.255.255.0 10.50.0.0 255.255.255.0

nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination static PARTNER_PRIVATE PARTNER_VPN_INBOUND
!
object network PRIVATE
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.2.0.253 1
route outside 10.1.0.0 255.255.255.0 10.2.0.253 1
aaa authentication ssh console LOCAL

crypto ipsec ikev1 transform-set L2L_SET esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map L2L_MAP 50 match address CRYPTO
crypto map L2L_MAP 50 set peer 10.1.0.254
crypto map L2L_MAP 50 set ikev1 transform-set L2L_SET
crypto map L2L_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 10.1.0.254 type ipsec-l2l
tunnel-group 10.1.0.254 ipsec-attributes
ikev1 pre-shared-key *****

Andrew Phirsov · ‎03-31-2013

object network PRIVATE
subnet 10.0.0.0 255.255.255.0
object network PARTNER_PRIVATE
subnet 10.0.0.0 255.255.255.0
object network PARTNER_VPN_INBOUND
subnet 10.50.0.0 255.255.255.0
object network PARTNER_VPN_OUTBOUND
subnet 10.51.0.0 255.255.255.0
access-list OUTSIDE_IN extended permit ip any any
access-list CRYPTO extended permit ip 10.0.0.0 255.255.255.0 10.50.0.0 255.255.255.0
nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination static PARTNER_PRIVATE PARTNER_VPN_INBOUND

Here in nat rule u use PARTNER_PRIVATE subnet, wich is the same as local one, so devices never send this traffic to the ASA, cause they know, that this subnet (10.0.0.0/24) is in their local subnet. So you should write the nat rule this way (i.e. change places of destiation objects):

nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination 
static  PARTNER_VPN_INBOUND PARTNER_PRIVATE

So hosts from subnet behind ASA will see host from subnet behind the ISR as 10.50.0.0/24, and when trying to reach subnet behind ISR you shold use addresses 10.50.0.x wich one-to-one correspond to 10.0.0.x there.

Plus, your proxy-acl on asa should use post-nat addresses, i.e. should look like this:

access-list CRYPTO extended permit ip 10.51.0.0 255.255.255.0 10.0.0.0 255.255.255.0

View solution in original post

Andrew Phirsov · ‎03-31-2013

object network PRIVATE
subnet 10.0.0.0 255.255.255.0
object network PARTNER_PRIVATE
subnet 10.0.0.0 255.255.255.0
object network PARTNER_VPN_INBOUND
subnet 10.50.0.0 255.255.255.0
object network PARTNER_VPN_OUTBOUND
subnet 10.51.0.0 255.255.255.0
access-list OUTSIDE_IN extended permit ip any any
access-list CRYPTO extended permit ip 10.0.0.0 255.255.255.0 10.50.0.0 255.255.255.0
nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination static PARTNER_PRIVATE PARTNER_VPN_INBOUND

Here in nat rule u use PARTNER_PRIVATE subnet, wich is the same as local one, so devices never send this traffic to the ASA, cause they know, that this subnet (10.0.0.0/24) is in their local subnet. So you should write the nat rule this way (i.e. change places of destiation objects):

nat (inside,outside) source static PRIVATE PARTNER_VPN_OUTBOUND destination 
static  PARTNER_VPN_INBOUND PARTNER_PRIVATE

So hosts from subnet behind ASA will see host from subnet behind the ISR as 10.50.0.0/24, and when trying to reach subnet behind ISR you shold use addresses 10.50.0.x wich one-to-one correspond to 10.0.0.x there.

Plus, your proxy-acl on asa should use post-nat addresses, i.e. should look like this:

access-list CRYPTO extended permit ip 10.51.0.0 255.255.255.0 10.0.0.0 255.255.255.0

Mike Bowers · ‎03-31-2013

Thanks a lot Andrew, you nailed it. I appreciate the help on that one.

However, now that I know how to get it working, I'm a little more confused about something else.

The example I was working from was in the Cisco Firewall 642-618 Official Cert Guide, which shows the following configuration to set up TWICE NAT:

object network PARTNER-VPN-NAT-INBOUND

subnet 192.168.20.0 255.255.255.0

object network PARTNER-VPN-NAT-OUTBOUND

subnet 192.168.10.0 255.255.255.0

object network PARTNER-VPN-SEGMENT

subnet 10.0.0.0 255.255.255.0

object network INSIDE-SEGMENT

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) source static INSIDE-SEGMENT PARTNER-VPN-NAT-OUTBOUND destination static PARTNER-VPN-SEGMENT PARTNER-VPN-NAT-INBOUND

----------------------------------------------------

The book has the INSIDE-SEGMENT (10.0.0.0/24) source and destination source PARTNER-VPN-SEGMENT(10.0.0.0/24). I didn't understand this configuration example but I tried to copy and apply it as best as I could because it didn't make sense to me.

Now, according to your adjustments to what I had set up which got it working, this configuration in the book is wrong, right?

Shouldn't the book example have to switch the destination PARTNER-VPN-NAT-INBOUND(192.168.20.0) and PARTNER-VPN-SEGMENT(10.0.0.0/24) to get it working as well?

So, we would make the NAT look like:

nat (inside,outside) source static INSIDE-SEGMENT PARTNER-VPN-NAT-OUTBOUND destination static PARTNER-VPN-NAT-INBOUND PARTNER-VPN-SEGMENT

It's on page 373 of the Official FIREWALL Cert Guide for 8.3+ NAT. I'm wondering if the Official Guide fudged up the configuration now.

Andrew Phirsov · ‎03-31-2013

Even if you got it from the guide, it doesn't make sense) Most probably it's just a misprint, and it happens sometimes. When preparing for ccnp sec i saw couple of those regarding to dmvpn config (where configuring dmvpn phase two the were using p2p gre tunnels instead of multipoint type), or sslvpn on the ISR (don't remember what exactly that was).

So don't pay much attention to this. If you've got it working the other way, find a logic in what you did and go with that)