VPN how to nat local Ip address to remote address?

habibnoubissi · ‎06-03-2012

Hi Everybody,

I have a problem on my VPN tunnel, this is the scenario:

local network (172.21.0.0/16)===local ASA5510(IOS 7.2) -------------Internet---------------remote ASA5510(IOS 8.3)===remote network (10.5.6.0/24)

the tunnel is up, I can telnet or ssh from remote network to local network; my problem is that I want some hosts on local network (172.21.254.28 and 172.21.254.31) to access remote network with with the IP address of remote network (10.5.6.96 and 10.5.6.97) and for that I I did this static nat on remote ASA:

hostname(config)# object network sv-test_1

hostname(config-network-object)# host 172.21.254.31

hostname(config)# object network sv-live_1

hostname(config-network-object)# host 172.21.254.28

hostname(config)# object network sv-test_2

hostname(config-network-object)# host 10.5.6.96

hostname(config)# object network sv-live_2

hostname(config-network-object)# host 10.5.6.97

nat (mc,Outside) source static sv-test_2 sv-test_1

nat (mc,Outside) source static sv-live-_2 sv-live_1

mc: is the name of internal interface.

Please advise if thoses configurations are good, because it is not working.

Thank you very much in advance

mikull.kiznozki · ‎06-03-2012

what code do you run? 8.4(2)?

can u show us the sh cry ipsec sa output for this peer.?

habibnoubissi · ‎06-04-2012

Hi Mikull thank you for your reply, below the answering to your questions:

code : ASA Version 8.3(1)

below is the output of crypto ipsec sa:

fw1# sh cry ip sa

interface: Outside

Crypto map tag: Outside_map, seq num: 80, local addr: 212.x.x.x

access-list vpn_mastercard_geneve extended permit ip 10.5.6.0 255.255.255.0 host 172.21.254.31

local ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/1/0)

remote ident (addr/mask/prot/port): (172.21.254.31/255.255.255.255/1/0)

current_peer: 41.y.y.y

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 155264, #pkts decrypt: 155264, #pkts verify: 155264

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 212.x.x.x/0, remote crypto endpt.: 41.y.y.y/0

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 25DC2DAA

current inbound spi : 240B23F8

inbound esp sas:

spi: 0x240B23F8 (604709880)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 226775040, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4373797/1103)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x25DC2DAA (635186602)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 226775040, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4374000/1102)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

wth this I noticed the packent from repote site are not encaps.

please guys help me to solve this situation

mikull.kiznozki · ‎06-04-2012

thanks. could you also show us a packet tracer output of the asa inside host trying to get to the remote peer network.

packet-tracer input inside tcp <172.21.0.0/16> 2700 <10.5.6.0/24> 2700 detailed

habibnoubissi · ‎06-04-2012

Thanks once again Mikull,

below is the output of packet-tracert input:

ASA# packet-tracer input inside tcp 172.21.254.31 2700 10.5.6.55 2700

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip object-group host_test_1 object-group sous_reseau_2

object-group network host_test_1

network-object host 172.21.254.28

network-object host 172.21.254.31

network-object host serveur_tftp

object-group network sous_reseau_2

network-object 10.5.6.0 255.255.255.0

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-im

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 172.21.254.31 255.255.255.255

match ip inside host 172.21.254.31 outside any

identity NAT translation, pool 0

translate_hits = 111056, untranslate_hits = 3373

Additional Information:

Dynamic translate 172.21.254.31/0 to 172.21.254.31/0 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 172.21.254.31 255.255.255.255

match ip inside host 172.21.254.31 inside any

identity NAT translation, pool 0

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

mikull.kiznozki · ‎06-04-2012

thanks. looks to me more like a nat exempt issue. if you dont mind, you could either attach the full sh run here or PM me so that I can dig deeper.

habibnoubissi · ‎06-04-2012

Hi Mikull,

this is the correct packet-tracert output from local ASA, becasue the only tcp port authorised on remote site is 6005, so I did the command with it:

ASA-GONAGO# packet-tracer input inside tcp 172.21.254.31 6005 10.5.6.55 2700

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip object-group host_1 object-group sous_reseau_2

object-group network host_1

network-object host 172.21.254.28

network-object host 172.21.254.31

network-object host serveur_tftp

object-group network sous_reseau_2

network-object 10.5.6.0 255.255.255.0

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-im

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 172.21.254.31 255.255.255.255

match ip inside host 172.21.254.31 outside any

identity NAT translation, pool 0

translate_hits = 111082, untranslate_hits = 3403

Additional Information:

Dynamic translate 172.21.254.31/0 to 172.21.254.31/0 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 172.21.254.31 255.255.255.255

match ip inside host 172.21.254.31 inside any

identity NAT translation, pool 0

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 46764663, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

mikull.kiznozki · ‎06-04-2012

could you check whether the crypto map acl's are similar at both the ends.

have you also started a packet capture from your inside local subnet to the remote peer and initiate some traffic from your inside peer and see what is happening.

habibnoubissi · ‎06-04-2012

Mikull,please takeinto account my configuration on remote peer (it is here that I want some local adresses (172.21.254.28, 172.21.254.31) to be natted to the remote address (10.5.6.97, 10.5.6.96):

object network local-test

host 172.21.254.31

object network local-live

host 172.21.254.28

object network local_network

subnet 172.21.0.0 255.255.0.0

object network remote_network

subnet 10.5.6.0 255.255.255.0

object network remote-test

host 10.5.6.96

object network remote-live

host 10.5.6.97

object-group network local

network-object host 172.21.254.28

network-object host 172.21.254.31

object-group network remote-network-2

network-object 10.5.6.0 255.255.255.0

access-list mc_access_in extended permit ip object-group remote-network-2 object-group local

access-list vpn extended permit ip object-group remote-network-2 object-group local

nat (mc,Outside) source static remote_network remote_network destination static local_network local_network

nat (mc,Outside) source static remote-test local-test

nat (mc,Outside) source static remote-live local-live

nat (Outside,mc) source static local-test remote-test

nat (Outside,mc) source static local-live remote-live

crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 80 match address vpn

crypto map Outside_map 80 set peer 41.y.y.y 255.255.255.255

crypto map Outside_map 80 set transform-set vpn

crypto map Outside_map 80 set security-association lifetime seconds 3600

crypto isakmp policy 80

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86080

THANKS A LOT FOR YOUR HELP