cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1890
Views
0
Helpful
8
Replies

VPN how to nat local Ip address to remote address?

habibnoubissi
Level 1
Level 1

Hi Everybody,

I have a problem on my VPN tunnel, this is the scenario:

local network (172.21.0.0/16)===local ASA5510(IOS 7.2) -------------Internet---------------remote ASA5510(IOS 8.3)===remote network (10.5.6.0/24)

the tunnel is up, I can telnet or ssh from remote network to local network; my problem is that I want some hosts on local network (172.21.254.28 and 172.21.254.31) to access remote network with with the IP address of remote network (10.5.6.96 and 10.5.6.97) and for that I I did this static nat on remote ASA:

hostname(config)# object network sv-test_1

hostname(config-network-object)# host 172.21.254.31

hostname(config)# object network sv-live_1

hostname(config-network-object)# host 172.21.254.28

hostname(config)# object network sv-test_2

hostname(config-network-object)# host 10.5.6.96

hostname(config)# object network sv-live_2

hostname(config-network-object)# host 10.5.6.97

nat (mc,Outside) source static sv-test_2  sv-test_1

nat (mc,Outside) source static sv-live-_2  sv-live_1

mc: is the name of internal interface.

Please advise if thoses configurations are good, because it is not working.

Thank you very much in advance

8 Replies 8

mikull.kiznozki
Level 1
Level 1

what code do you run? 8.4(2)?

can u show us the sh cry ipsec sa output for this peer.?

Hi Mikull thank you for your reply, below the answering to your questions:

code : ASA Version 8.3(1)

below is the output of crypto ipsec sa:

fw1# sh cry ip sa

interface: Outside

    Crypto map tag: Outside_map, seq num: 80, local addr: 212.x.x.x

      access-list vpn_mastercard_geneve extended permit ip 10.5.6.0 255.255.255.0 host 172.21.254.31

      local ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/1/0)

      remote ident (addr/mask/prot/port): (172.21.254.31/255.255.255.255/1/0)

      current_peer: 41.y.y.y

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 155264, #pkts decrypt: 155264, #pkts verify: 155264

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.x.x.x/0, remote crypto endpt.: 41.y.y.y/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 25DC2DAA

      current inbound spi : 240B23F8

    inbound esp sas:

      spi: 0x240B23F8 (604709880)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

   slot: 0, conn_id: 226775040, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (4373797/1103)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x25DC2DAA (635186602)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 226775040, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (4374000/1102)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

wth this I noticed the packent from repote site are not encaps.

please guys help me to solve this situation

thanks. could you also show us a packet tracer output of the asa inside host trying to get to the remote peer network.

packet-tracer input inside tcp <172.21.0.0/16> 2700 <10.5.6.0/24> 2700 detailed

Thanks once again Mikull,

below is the output of packet-tracert input:

ASA# packet-tracer input inside tcp 172.21.254.31 2700 10.5.6.55 2700

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip object-group host_test_1 object-group sous_reseau_2

object-group network host_test_1

network-object host 172.21.254.28

network-object host 172.21.254.31

network-object host serveur_tftp

object-group network sous_reseau_2

network-object 10.5.6.0 255.255.255.0

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-im

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 172.21.254.31 255.255.255.255

  match ip inside host 172.21.254.31 outside any

    identity NAT translation, pool 0

    translate_hits = 111056, untranslate_hits = 3373

Additional Information:

Dynamic translate 172.21.254.31/0 to 172.21.254.31/0 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 172.21.254.31 255.255.255.255

  match ip inside host 172.21.254.31 inside any

    identity NAT translation, pool 0

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

thanks. looks to me more like a nat exempt issue. if you dont mind, you could either attach the full sh run here or PM me so that I can dig deeper.

Hi Mikull,

this is the correct packet-tracert output from local ASA, becasue the only tcp port authorised on remote site is 6005, so I did the command with it:

ASA-GONAGO# packet-tracer input inside tcp 172.21.254.31 6005 10.5.6.55 2700

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip object-group host_1 object-group sous_reseau_2

object-group network host_1

network-object host 172.21.254.28

network-object host 172.21.254.31

network-object host serveur_tftp

object-group network sous_reseau_2

network-object 10.5.6.0 255.255.255.0

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-im

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 172.21.254.31 255.255.255.255

  match ip inside host 172.21.254.31 outside any

    identity NAT translation, pool 0

    translate_hits = 111082, untranslate_hits = 3403

Additional Information:

Dynamic translate 172.21.254.31/0 to 172.21.254.31/0 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 172.21.254.31 255.255.255.255

  match ip inside host 172.21.254.31 inside any

    identity NAT translation, pool 0

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 46764663, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

could you check whether the crypto map acl's are similar at both the ends.

have you also started a packet capture from your inside local subnet to the remote peer and initiate some traffic from your inside peer and see what is happening.

Mikull,please takeinto account my configuration on remote peer (it is here that I want some local adresses (172.21.254.28, 172.21.254.31) to be natted to the remote address (10.5.6.97, 10.5.6.96):

object network local-test

host 172.21.254.31

object network local-live

host 172.21.254.28

object network local_network

subnet 172.21.0.0 255.255.0.0

object network remote_network

subnet 10.5.6.0 255.255.255.0

object network remote-test

host 10.5.6.96

object network remote-live

host 10.5.6.97

object-group network local

network-object host 172.21.254.28

network-object host 172.21.254.31

object-group network remote-network-2

network-object 10.5.6.0 255.255.255.0

access-list mc_access_in extended permit ip object-group remote-network-2 object-group local

access-list vpn extended permit ip object-group remote-network-2 object-group local

nat (mc,Outside) source static remote_network remote_network destination static local_network local_network

nat (mc,Outside) source static remote-test local-test

nat (mc,Outside) source static remote-live local-live

nat (Outside,mc) source static local-test remote-test

nat (Outside,mc) source static local-live remote-live

crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 80 match address vpn

crypto map Outside_map 80 set peer 41.y.y.y 255.255.255.255

crypto map Outside_map 80 set transform-set vpn

crypto map Outside_map 80 set security-association lifetime seconds 3600

crypto isakmp policy 80

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86080

THANKS A LOT FOR YOUR HELP