Solved: Re: VPN between 2 ASA's

jkay18041 · ‎03-13-2020

I'm trying to create a ipsec site to site vpn between 2 5515-x units. Both have a public IP and have a LAN side configured as well.

My problem is on one of the ASA's I have two lan subnets configured and the subnet I want to put over the vpn is translated to a different public IP than the one assigned to the Outside interface.

The question is when setting up the VPN when it ask for the peer address do I put the address I translate that subnet to or do I put the address of the Outside interface? Anything else I need to be aware of when doing this?

Thank you

Rob Ingram · ‎03-13-2020

SideA
access-list Outside_cryptomap extended permit ip 192.168.146.0 255.255.255.0 192.168.144.0 255.255.255.0

Side B
access-list outside_cryptomap_4 extended permit ip 192.168.144.0 255.255.255.0 192.168.146.0 255.255.255.0

You've not amended the ACL. You said in the first post you wanted to translate the traffic over the VPN, but the output from the crypto ipsec sa confirms that traffic would be routed and therefore not translated.

So do you want to NAT or not?

If you don't want to NAT then amend the NAT rule to ensure the original source and translated source is the same, e.g:-

nat (Austin_HVAC,Outside) source static Austin_HVAC Austin_HVAC destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp route-lookup

Else amend the ACLs on both ends.

View solution in original post

Rob Ingram · ‎03-13-2020

Hi,
When you setup the VPN's you will peer to the remote ASA using the IP address of the ASA's outside interface, not the NAT ip address.

In the ACL used to define interesting traffic your source would be the NAT IP address not the real IP address(es). You would obviously also need a NAT rule to translate the original source to the translated sourced.

HTH

jkay18041 · ‎03-13-2020

Here is my config on the ASA that has the 2 lan subnets. I still can't seem to get it to work correctly. Any suggestions?

interface GigabitEthernet0/0
description WAN
speed 100
nameif Outside
security-level 0
ip address 120.200.201.105 255.255.255.248
!
interface GigabitEthernet0/1
channel-group 21 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 21 mode active
no nameif
no security-level
no ip address
!
interface Port-channel21
nameif Archer_Interfaces
security-level 90
ip address 10.21.1.251 255.255.255.0
!
interface Port-channel21.22
vlan 22
nameif Austin_HVAC
security-level 10
ip address 192.168.146.251 255.255.255.0
!
same-security-traffic permit intra-interface
object network Archer_Interfaces
subnet 10.21.1.0 255.255.255.0
object network Austin_HVAC_Public_IP
host 120.200.201.106
description Archer Austin HVAC Nat
object network Austin_HVAC
subnet 192.168.146.0 255.255.255.0
object network Austin_LAN_Side
subnet 192.168.144.0 255.255.255.0
object network NETWORK_OBJ_192.168.146.0_24
subnet 192.168.146.0 255.255.255.0
access-list Outside_access_in extended permit ip any any
access-list Archer_Interfaces_access_in extended permit ip any any
access-list Austin_HVAC_access_in extended permit ip any any
access-list Outside_cryptomap_1 extended permit ip object Austin_HVAC object Austin_LAN_Side
pager lines 24
mtu Outside 1500
mtu Archer_Interfaces 1500
mtu Austin_HVAC 1500
no failover
no monitor-interface Austin_HVAC
no monitor-interface service-module
nat (Outside,Outside) source static Austin_HVAC Austin_HVAC destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp route-lookup
!
object network Archer_Interfaces
nat (Archer_Interfaces,Outside) dynamic interface
object network Austin_HVAC
nat (Austin_HVAC,Outside) dynamic Austin_HVAC_Public_IP
access-group Outside_access_in in interface Outside
access-group Archer_Interfaces_access_in in interface Archer_Interfaces
access-group Austin_HVAC_access_in in interface Austin_HVAC
route Outside 0.0.0.0 0.0.0.0 120.200.201.110 1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set peer 190.80.141.179
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha512 sha384 sha256
group 21 20 24
prf sha512 sha384 sha256
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl cipher dtlsv1.2 high
ssl dh-group group24
ssl ecdh-group group21
group-policy GroupPolicy_190.80.141.179 internal
group-policy GroupPolicy_190.80.141.179 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username lodgeworks password ***** pbkdf2 privilege 15
tunnel-group 190.80.141.179 type ipsec-l2l
tunnel-group 190.80.141.179 general-attributes
default-group-policy GroupPolicy_190.80.141.179
tunnel-group 190.80.141.179 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Rob Ingram · ‎03-13-2020

Your NAT rule looks incorrect, but I have no context so be sure of your intention.
Is the source network Austin_HVAC?

Changes made in bold:-

access-list Outside_cryptomap_1 extended permit ip object Austin_HVAC_Public_IP object Austin_LAN_Side
nat (Austin_HVAC,Outside) source static Austin_HVAC Austin_HVAC_Public_IP destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp route-lookup

HTH

jkay18041 · ‎03-13-2020

When I put in the nat rule I get this error

ERROR: Option route-lookup is only allowed for static identity case

I took off the route-lookup at the end.

VPN still doesn't connect, here is what I get when I do "Show Nat"

ciscoasa# show nat
Manual NAT Policies (Section 1)
1 (Austin_HVAC) to (Outside) source static Austin_HVAC Austin_HVAC_Public_IP destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp
translate_hits = 0, untranslate_hits = 0
2 (Outside) to (Outside) source static NETWORK_OBJ_192.168.146.0_24 NETWORK_OBJ_192.168.146.0_24 destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (Archer_Interfaces) to (Outside) source dynamic Archer_Interfaces interface
translate_hits = 653, untranslate_hits = 3141

Rob Ingram · ‎03-13-2020

Is the source interface "Austin_HVAC"? I was unsure. What source IP address?

Run packet-tracer and provide the output.

jkay18041 · ‎03-13-2020

This is what I have now, still no luck.

nat (Austin_HVAC,Outside) source static Austin_HVAC Austin_HVAC_Public_IP destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp
nat (Outside,Outside) source static NETWORK_OBJ_192.168.146.0_24 NETWORK_OBJ_192.168.146.0_24 destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp route-lookup

On the other side do I need to do anything special on it? I have it set to the outside interface as the peer.

Thank you for your help!

Rob Ingram · ‎03-13-2020

Do you modifiy the ACL as specified?
Can you run packet-tracer?
Does it even attempt to establish a VPN? If not turn on debugs
Provide the output of the other firewall

jkay18041 · ‎03-13-2020

I did modify the ACL

I don't see it attempt to establish the VPN. I'll turn on the debugs.

Thank you

jkay18041 · ‎03-13-2020

Got the VPN to establish, however there must a NAT issue on the ASA as that doesn't allow the devices out to the network now.

EDIT

Added another NAT rule and now the internet works fine. VPN is up but not receiving traffic back.

ciscoasa# show nat
Manual NAT Policies (Section 1)
1 (Austin_HVAC) to (Outside) source static Austin_HVAC Austin_HVAC_Public_IP destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (Archer_Interfaces) to (Outside) source dynamic Archer_Interfaces interface
translate_hits = 685, untranslate_hits = 3141

Rob Ingram · ‎03-13-2020

Nothing is hitting that first NAT rule.
Please provide the output from "show crypto ipsec sa" from both VPN peers.
Also provide the output from a packet-tracer test

jkay18041 · ‎03-13-2020

Side A

ciscoasa# show crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 1, local addr: 120.200.201.105

access-list Outside_cryptomap extended permit ip 192.168.146.0 255.255.255.0 192.168.144.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.146.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.144.0/255.255.255.0/0/0)
current_peer: 190.80.141.179

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 59, #pkts decrypt: 59, #pkts verify: 59
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 120.200.201.105/500, remote crypto endpt.: 190.80.141.179/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 7FD45D29
current inbound spi : 08B65695

inbound esp sas:
spi: 0x08B65695 (146167445)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 2, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4147196/28527)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x0FFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7FD45D29 (2144623913)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 2, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4101120/28527)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Side B

ciscoasa# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 190.80.141.179

access-list outside_cryptomap_4 extended permit ip 192.168.144.0 255.255.255.0 192.168.146.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.144.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.146.0/255.255.255.0/0/0)
current_peer: 120.200.201.105

#pkts encaps: 78, #pkts encrypt: 78, #pkts digest: 78
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 78, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 190.80.141.179/500, remote crypto endpt.: 120.200.201.105/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 08B65695
current inbound spi : 7FD45D29

inbound esp sas:
spi: 0x7FD45D29 (2144623913)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239360/28433)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x08B65695 (146167445)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 2, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4285435/28433)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

I ran packet tracer and both said the packet was allowed

Thanks again for all the help!

Rob Ingram · ‎03-13-2020

SideA
access-list Outside_cryptomap extended permit ip 192.168.146.0 255.255.255.0 192.168.144.0 255.255.255.0

Side B
access-list outside_cryptomap_4 extended permit ip 192.168.144.0 255.255.255.0 192.168.146.0 255.255.255.0

You've not amended the ACL. You said in the first post you wanted to translate the traffic over the VPN, but the output from the crypto ipsec sa confirms that traffic would be routed and therefore not translated.

So do you want to NAT or not?

If you don't want to NAT then amend the NAT rule to ensure the original source and translated source is the same, e.g:-

nat (Austin_HVAC,Outside) source static Austin_HVAC Austin_HVAC destination static Austin_LAN_Side Austin_LAN_Side no-proxy-arp route-lookup

Else amend the ACLs on both ends.