Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
0
Helpful
2
Replies

Twice NAT Issues

mhaskett74
Level 1
Level 1

‎09-11-2011 08:53 PM

Good evening.  I'm running into and interesting issue concerning a twice NAT config.

We have a remote site that needs to connect to a server cluster on our end.  Using ASDM I have created a NAT rule that uses PAT to map our server addresses to a single IP (this is due to constraints placed on us by the remote site).  This in and of itself shouldn't be a problem.  The issue is that the VPN tunnel won't come up unless I also map an address to the remote site's sever.

Example:

Appliance: ASA 5510

ASA Version: 8.4(2)

ASDM Version: 6.4(5)

Original Packet:

Source Interface: inside

Destination Interface: outside

Source Address: Server_Cluster

Destination Address: Remote_Server

Service: any

Translated Packet:

Source NAT Type: Dynamic PAT (Hide)

Source Address: Mapped_Server_Cluster_Address

Destination Address: Mapped_Remote_Server_Address

Service: -- Original --

Within the Translated Packet section, if I set Destination Address to the actual remote server address nothing happens when I attempt to bring up the tunnel.  However, if I map an address to the remote server, the tunnel begins to come up and then fails during phase two (as the mapped address doesn't match the addressing that has been defined in the remote end's connection profile).

Initially I thought the issue may be due to an IP addressing overlap since both sites are running similar numbers, but the default route statement on our ASA, should contend with this issue.  Also, each time I change the NAT rule, I change the connection profile to match those changes.

So, ultimately, what I wish to accomplish is to allow connectivity between my site and the remote site without having to map another address to their remote server.  How may I do this?

I'm quite certain that this question is clear as mud, so I would be more than happy to elaborate further on any aspect of this issue.

Thank you for your time and expertise in this matter.

Labels:
0 Helpful
2 Replies 2

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎09-12-2011 12:01 AM

hi ,

thanks for posting this here ,

can you please attach the ASA configuration ?

regards.

0 Helpful

mhaskett74
Level 1
Level 1
In response to Mohammad Alhyari

‎09-12-2011 08:13 AM

Thank you for your reply, Mohammad.  Here is a sanatized version of our ASA config:

ASA Version 8.4(2)
!
hostname ASAVPN
domain-name domain.com
enable password **************************** encrypted
passwd **************************** encrypted
names
name 192.168.22.26 Remote_Server_Ext
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 99.99.99.99 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.127.252 255.255.128.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.12.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.127.1
name-server 192.168.127.2
domain-name domain.com
object network obj-192.0.0.0
subnet 192.0.0.0 255.0.0.0
object network obj-192.168.125.106
host 192.168.125.106
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network Remote_Server_Actual
host 192.168.22.26
description Remote Server
object network 192.168.125.106
host 192.168.125.106
description Cluster Server 1
object network Remote_Site_Ext_NAT_Block
subnet 192.168.65.244 255.255.255.252
description Our NAT-ed Numbering for Remote_Site
object network 192.168.125.107
host 192.168.125.107
description Cluster Server 2
object network 192.168.125.108
host 192.168.125.108
description Cluster Server 3
object network 192.168.125.109
host 192.168.125.109
description Cluster Server 4
object network 192.168.125.110
host 192.168.125.110
description Cluster Server 5
object network Remote_Site_Ext_NAT
host 192.168.65.245
description Our PAT-ed Address
object network Remote_Server_NAT
host 99.99.35.143
description Our NAT-ed Address for Remote Server
object-group service Remote_Site tcp
description Cluster Server Traffic to Remote_Site
port-object eq 104
object-group network Server_Cluster
network-object object 192.168.125.106
network-object object 192.168.125.107
network-object object 192.168.125.108
network-object object 192.168.125.109
network-object object 192.158.125.110
access-list Outside_27_cryptomap extended permit tcp object Remote_Site_Ext_NAT object Remote_Server_Actual

access-list Inside_access_in extended permit ip any any
access-list Split_Tunnel_List remark Internal VPN Subnet.
access-list Internal_Network standard permit 192.0.0.0 255.0.0.0
access-list Internal_Network remark Entire internal network.
access-list Outside_access_in extended permit tcp object Remote_Server_Actual 192.168.65.244 255.255.255.252 object-group Remote_Site inactive
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source dynamic Server_Cluster Remote_Site_Ext_NAT destination static Remote_Server_Actual Remote_Server_Actual
!
object network obj_any
nat (Inside,Outside) dynamic obj-0.0.0.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 99.99.99.99 1
route Inside 192.0.0.0 255.255.0.0 192.168.127.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (Inside) host 192.168.127.6
key *****
radius-common-pw *****
aaa-server LDAP-AUTHENT protocol ldap
aaa-server LDAP-AUTHENT (Inside) host 192.168.125.1
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=username,ou=users,dc=domain,dc=com
server-type microsoft
user-identity default-domain LOCAL
http server enable
http A-192.168.0.0 255.255.0.0 Inside
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 27 match address Outside_27_cryptomap
crypto map Outside_map 27 set peer 99.99.37.69
crypto map Outside_map 27 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto ikev1 enable Outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet A-192.168.0.0 255.255.0.0 Inside
telnet timeout 5
ssh A-192.168.0.0 255.255.0.0 Inside
ssh timeout 5
console timeout 0
vpn-addr-assign local reuse-delay 5
dhcpd dns 192.168.127.1 192.168.127.2
dhcpd domain domain.com
!
dhcpd address 192.168.2.2-192.168.2.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.127.2 source Inside prefer
webvpn
group-policy Remote_Site_Policy internal
group-policy Remote_Site_Policy attributes
vpn-tunnel-protocol ikev1
username admin password ************************************ encrypted privilege 15
tunnel-group 99.99.37.69 type ipsec-l2l
tunnel-group 99.99.37.69 general-attributes
default-group-policy Remote_Site_Policy
tunnel-group 99.99.37.69 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

0 Helpful
Customers Also Viewed These Support Documents