Try changing your NAT at site - Page 2

christophe.ognier · ‎12-13-2011

Hello,

I have 2 sites :

site A :

ASA 5510

VPN gateway for remote users

LAN 192.168.192.0/22

site B :

ASA 5505

LAN 192.168.208.0/22

Both sites are connected through a site to site VPN.

Remote clients (AnyConnect/VPN client) can connect to Site A LAN and see machines on LAN A but cannot see Site B LAN.

What do I miss (maybe on both sides) ?

Any help appreciated.

Here is a part of my configuration :

On Site A (ASA 5510)

--------------------------------

name 192.168.192.0 SiteA_Internal_Network

name 192.168.208.0 SiteB_Internal_Network

name 192.168.133.0 VPNPool_AnyConnect

name 192.168.133.32 VPNPool_VpnClient

object-group network DM_INLINE_NETWORK_3

network-object VPNPool_AnyConnect 255.255.255.224

network-object VPNPool_VpnClient 255.255.255.224

network-object SiteA_Internal_Network 255.255.252.0

access-list External_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 SiteB_Internal_Network 255.255.252.0

nat (Internal) 0 access-list Internal_nat0_outbound

nat (Internal) 1 SiteA_Internal_Network 255.255.252.0

nat (External-DMZ) 0 access-list External-DMZ_nat0_outbound

static (Internal,External-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0

static (Internal,Internal-DMZ) SiteA_Internal_Network SiteA_Internal_Network netmask 255.255.252.0

static (External-DMZ,External) SiteA_ExternalDMZ_Network SiteA_ExternalDMZ_Network netmask 255.255.255.240

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 5

webvpn

enable External

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-wince-ARMv4I-2.3.0254-k9.pkg 2 regex "Windows CE"

svc image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 3 regex "Intel Mac OS X"

svc image disk0:/anyconnect-macosx-powerpc-2.3.0254-k9.pkg 4 regex "PPC Mac OS X"

svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 5 regex "Linux"

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value XXXXXXXXXXXXX

vpn-tunnel-protocol IPSec svc webvpn

ip-comp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-lan

default-domain value XXXXX

webvpn

svc keepalive 30

svc compression none

group-policy TG-ADM internal

group-policy TG-ADM attributes

vpn-tunnel-protocol IPSec

ip-comp disable

group-policy JSIgroup internal

group-policy JSIgroup attributes

vpn-tunnel-protocol IPSec svc webvpn

webvpn

url-list none

svc ask enable

tunnel-group DefaultRAGroup general-attributes

authentication-server-group RADIUS LOCAL

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool POOL-ANYCONNECT

authentication-server-group RADIUS LOCAL

dhcp-server XXXXXXXXXX

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias VPN-ACCESS enable

tunnel-group XXXXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXXXX ipsec-attributes

pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXX

tunnel-group TG-ADM type remote-access

tunnel-group TG-ADM general-attributes

address-pool POOL-ADM

authentication-server-group RADIUS LOCAL

default-group-policy TG-ADM

tunnel-group TG-ADM ipsec-attributes

pre-shared-key XXXXXXXXXXXXXXXXXXXXXX

On Site B (ASA 5505)

-------------------------------

name 192.168.192.0 SiteA_Internal_Network

name 192.168.133.32 AnyConnect

name 192.168.133.0 VPN_Client

object-group network DM_INLINE_NETWORK_2

network-object 192.168.133.0 255.255.255.224

network-object 192.168.133.32 255.255.255.224

network-object 192.168.192.0 255.255.252.0

object-group network DM_INLINE_NETWORK_1

network-object 192.168.133.0 255.255.255.224

network-object 192.168.133.32 255.255.255.224

network-object 192.168.192.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_1

access-list inside_access_in extended permit ip 192.168.208.0 255.255.252.0 192.168.192.0 255.255.252.0

access-list inside_access_in extended permit object-group Traffic-Good 192.168.208.0 255.255.252.0 any

access-list outside_cryptomap_1 extended permit ip 192.168.208.0 255.255.252.0 object-group DM_INLINE_NETWORK_2

access-list outside_access_in extended deny ip any 192.168.208.0 255.255.252.0

access-list outside_access_in extended deny ip any 192.168.192.0 255.255.252.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

Raul Ricano · ‎01-14-2016

At Site B it looks like its actually being Nat/PAT out to the internet and not exempt from NAT. Make sure you have a no nat statement from site B to not allow the traffic to be PAT to the Internet. On the new 9.x ASA code this is done by the static NATs and no longer done via the NONAT ACLs. Basically at site by match what you have working for the Site to site VPN (ACL and Static NATs) for the RA VPN subnet and that should push that traffic over the tunnel. I did this recently for a client and this is what I ended up having to do on their ASA.

Remote Site B (8.2 code)

access-list VPN extended permit ip 10.46.1.0 255.255.255.0 10.41.9.0 255.255.0.0
access-list NONAT extended permit ip 10.46.1.0 255.255.255.0 10.41.9.0 255.255.255.0

Main Site A (9.x Code)

access-list outside_cryptomap extended permit ip 10.41.9.0 255.255.255.0 10.46.1.0 255.255.255.0

hshzhu101 · ‎01-15-2016

I have config the exempt from NAT ,see as bellow:

Site B:

access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0

access-list Office extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list Office extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0

Site A:

access-list Outside1_cryptomap extended permit ip object Remote_admin object-group Subnets

Is there any other problem?

Raul Ricano · ‎01-15-2016

That looks good. What version of ASA Code are you running? If you are running 8.3 and above you will need static NATs

8.3+ code NAT should look something like this.

Site A (interface name may vary for you)

nat (inside,outside) source static Remote_admin Remote_admin destination static SiteBSubNetObject SiteBSubnetObject no-proxy-arp route-lookup

Site B

nat (inside,outside) source static Remote_admin Remote_admin SiteBSubNetObject SiteBSubnetObject destination static Remote_admin Remote_admin no-proxy-arp route-lookup

hshzhu101 · ‎01-17-2016

Thanks for your help,

At SiteA,the version of the ASA is 9.0(1),I think the "remote client"belong to ouside flow,how do you think?So I think I should config the NAT as what I have copy to the disscution:nat (Outside1,Outside1) source static Remote_admin Remote_admin destination static Subnets Subnets no-proxy-arp route-lookup

At SiteB;the version is 8.0(5),so it not need to config NAT.

Do you think there is some else possibility?

hshzhu101 · ‎01-28-2016

Dear Raul

Do you have any idea?

Raul Ricano · ‎01-28-2016

Hi sorry for dropping off. Been traveling etc. So looking at the icmp traces you ran it fails at the VPN Encrypt phase. Site B looks good as far as I can tell. However it looks like your site A trace your NAT is matching a ChinaSubnet which I did not see in your config. I noticed you had a Subnets group with subnet 1 and 2 in the posted config, but seems it's not matching that. Your static NAT entry for this may need to be placed sourced before this China one. I would also add the following command "same-security-traffic permit inter-interface". Sorry for the formatting as I am on my phone.

hshzhu101 · ‎01-28-2016

Dear Raul

Many thanks for your help

Ihave add the folloing command"same-security-traffic permit inter-interface",but ,it is still failed.

In fact ,"ChinaSubnet "means "Subnet",I just replace it to "Subnet" when I copy the configuration to the discussion.

Raul Ricano · ‎01-28-2016

Try changing your NAT at site A from (outside1,outside1) to (inside,outside1).

Also can you post the show run crypto from both sides along with NAT, nonnat, split tunnel ACL and crypto ACL. Try and not change anything that's not specifically identiable to your company. I am getting on a plane soon and won't be able to reply. I should have some PC access tomorrow and can look over the full outputs and piece them together better.

hshzhu101 · ‎01-31-2016

Dear Raul

Thanks for your help!Please see the configuration as below:

SiteA:

ASA Version 9.0(1)

ip local pool Remote_admin 10.1.84.100-10.1.84.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif Outside1
security-level 0
ip address A.A.A.A 255.255.255.248
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ChinaSubnet1
subnet 10.1.0.0 255.255.255.0
object network ChinaSubnet2
subnet 10.1.1.0 255.255.255.0
object network Corp
subnet 10.24.15.0 255.255.255.0
object network Servers
subnet 10.24.10.0 255.255.255.0
object network MGT
subnet 10.24.5.0 255.255.255.0
object network R&D
subnet 10.24.20.0 255.255.255.0
object network Remote_admin
subnet 10.1.84.0 255.255.255.0

object-group network ChinaSubnets
network-object object ChinaSubnet1
network-object object ChinaSubnet2

object-group network SF_Network
network-object 10.24.24.0 255.255.255.0
network-object object Corp
network-object object Servers
access-list global_access extended permit icmp any4 any4
access-list Inside_access_in extended permit ip any any
access-list Outside1_cryptomap extended permit ip object-group SF_Network object-group ChinaSubnets
access-list Outside1_cryptomap extended permit ip object Remote_admin object-group ChinaSubnets
access-list split standard permit 10.24.5.0 255.255.255.0
access-list split standard permit 10.1.1.0 255.255.255.0
access-list split standard permit 10.1.0.0 255.255.255.0
access-list split standard permit 10.24.10.0 255.255.255.0
access-list split standard permit 10.24.20.0 255.255.255.0
access-list split standard permit 10.24.24.0 255.255.255.0
access-list split standard permit 10.24.15.0 255.255.255.0
!
nat (Inside,Outside1) source static any any destination static Remote_admin Remote_admin
nat (Inside,Outside1) source static SF_Network SF_Network destination static ChinaSubnets ChinaSubnets no-proxy-arp route-lookup
nat (Inside,Outside1) source static Remote_admin Remote_admin destination static ChinaSubnets ChinaSubnets no-proxy-arp route-lookup
!
nat (Inside,Outside1) after-auto source dynamic any interface
access-group Inside_access_in in interface Inside
access-group global_access global

crypto ipsec ikev1 transform-set China_Trans esp-aes-256 esp-sha-hmac

crypto dynamic-map dyn1 65534 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 65534 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 65534 set reverse-route
crypto map Outside1_map 1 match address Outside1_cryptomap
crypto map Outside1_map 1 set peer B.B.B.B
crypto map Outside1_map 1 set ikev1 transform-set China_Trans
crypto map Outside1_map 1 set security-association lifetime seconds 28800
crypto map Outside1_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside1_map 65534 ipsec-isakmp dynamic dyn1

crypto map Outside1_map interface Outside1
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable Outside1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

group-policy GroupPolicy_B.B.B.B internal
group-policy GroupPolicy_B.B.B.B attributes
vpn-tunnel-protocol ikev1

group-policy Remote_Admin internal
group-policy Remote_Admin attributes
vpn-session-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
address-pools value Remote_admin

tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B general-attributes
default-group-policy GroupPolicy_B.B.B.B
tunnel-group B.B.B.B ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold infinite

tunnel-group Remote_admin type remote-access
tunnel-group Remote_admin general-attributes
address-pool Remote_admin
default-group-policy Remote_Admin
tunnel-group Remote_admin ipsec-attributes
ikev1 pre-shared-key *****

SiteB:

ASA Version 8.0(5)
!

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address B.B.B.B 255.255.255.240

access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.0.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list no_nat extended permit ip 10.1.1.0 255.255.255.0 10.24.15.0 255.255.255.0

access-list AmericanOffice extended permit ip 10.1.0.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.1.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.0.0 255.255.255.0 10.1.84.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.0.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.0.0 255.255.255.0 10.24.15.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.1.0 255.255.255.0 10.24.24.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.1.0 255.255.255.0 10.24.10.0 255.255.255.0
access-list AmericanOffice extended permit ip 10.1.1.0 255.255.255.0 10.24.15.0 255.255.255.0

nat (Inside) 0 access-list no_nat
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set AmericanOffice esp-aes-256 esp-sha-hmac
crypto map mymap 90 match address AmericanOffice
crypto map mymap 90 set peer A.A.A.A
crypto map mymap 90 set transform-set AmericanOffice
crypto map mymap 90 set security-association lifetime seconds 28800
crypto map mymap 90 set security-association lifetime kilobytes 4608000

crypto map mymap interface Outside

tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key *

hshzhu101 · ‎02-01-2016

Dear Raul,how dou you think about this ?I have copied the configuration about SiteA&SiteB.

hshzhu101 · ‎01-14-2016

Dear nkarthikeyan

I have configed the vpn as your recommed,but it is fail,I don't know why,can you give me some suggestion,thank you!

shikhsha · ‎09-03-2012

Hi Chris,

Adding these 2 commands on site A should most probably fix your issue:

access-list External-DMZ_nat0_outbound extended permit ip VPNPool_AnyConnect 255.255.255.224 SiteB_Internal_Network 255.255.252.0

access-list split-lan standard permit SiteB_Internal_Network 255.255.252.0

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

hshzhu101 · ‎01-12-2016

Dear Chris

Do you have resolved the issue?I have a same issue with you

VPN clients cannot access remote site through site-to-site VPN