cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
4
Replies

VPN NAT Problem (Traffic between Internal and VPN fail)

kharvey
Level 1
Level 1

I have been fighting this for a couple of days now, and I just have not been able to figure it out.  I am pretty sure that it is a NAT problem, but I'm lost at this point.

I have an internal network (172.23.45.x) and a VPN network (172.23.46.x) and I cannot get traffic to flow between the two.  I was able to get NAT working so much that I no longer show errors in the logs about a Reverse Path Failure or a Failed to locate Egress traffic, but I sitll cannot get the two networks to communicate.

Here is my latest config:

Result of the command: "sh run"

: Saved
:
ASA Version 9.0(3)
!
hostname Gustapo
domain-name default.domain.invalid
enable password xxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxx encrypted
names
ip local pool ScopeDHCP 172.23.46.200-172.23.46.205 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif ExtNet
 security-level 1
 ip address dhcp setroute
!
interface Vlan3
 nameif IntNet
 security-level 100
 ip address 172.23.45.253 255.255.255.0
!
boot system disk0:/asa903-k8.bin
ftp mode passive
dns domain-lookup ExtNet
dns domain-lookup IntNet
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network IntIP
 subnet 172.23.45.0 255.255.255.0
 description Internal Network
object network VPNIP
 subnet 172.23.46.0 255.255.255.0
 description VPN Connection
access-list ExtNet_access_in extended permit icmp any4 any4
access-list ExtNet_access_in remark Deny all incoming traffic
access-list ExtNet_access_in extended deny ip any4 any4
access-list IntNet_access_in remark Block PS3 traffic to the Internet
access-list IntNet_access_in extended deny ip host 172.23.45.3 any4
access-list IntNet_access_in extended permit ip any4 any4
access-list nonatacl extended permit ip 172.23.46.0 255.255.255.0 172.23.45.0 255.255.255.0
access-list nonatacl extended permit ip 172.23.45.0 255.255.255.0 172.23.46.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu ExtNet 1500
mtu IntNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (IntNet,ExtNet) source dynamic any interface
nat (ExtNet,ExtNet) source dynamic VPNIP interface
nat (IntNet,any) source static IntIP IntIP destination static VPNIP VPNIP no-proxy-arp
access-group ExtNet_access_in in interface ExtNet
access-group IntNet_access_in in interface IntNet
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 444
http 172.23.45.0 255.255.255.0 IntNet
http redirect IntNet 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 172.23.45.0 255.255.255.0 IntNet
ssh timeout 5
console timeout 0

dhcpd auto_config ExtNet
!
dhcpd address 172.23.45.35-172.23.45.50 IntNet
dhcpd dns 208.67.222.222 208.67.220.220 interface IntNet
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable ExtNet
 enable IntNet
 anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 1
 anyconnect enable
group-policy DfltGrpPolicy attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 default-domain value default.domain.invalid
 address-pools value ScopeDHCP
group-policy AnyConnectAccessPolicy internal
group-policy AnyConnectAccessPolicy attributes
 wins-server none
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 default-domain value default.domain.invalid
 address-pools value ScopeDHCP
 
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

I am using the following to allow my traffic to route from the VPN to the Internet, but I am not sure I should need it if I get NAT working properly.

nat (ExtNet,ExtNet) source dynamic VPNIP interface

 

I'm not done configuring everything yet, but I would like to get the VPN tunnel up and running.

Any advice or suggestions?  I'm pretty much out of ideas.

4 Replies 4

Hi ,

Apply below commands, it should work for you 

no nat (ExtNet,ExtNet) source dynamic VPNIP interface
no nat (IntNet,any) source static IntIP IntIP destination static VPNIP VPNIP no-proxy-arp

nat (IntNet,ExtNet) source static IntIP IntIP destination static VPNIP VPNIP

 

HTH

Sandy

I inactivated the two old NAT commands and added in your nat command, but it still did not work.  But I am still unable to connect from my VPN to internal services (PING or SSH).  I am also unable to ping from my Internal to my VPN.

 

Here is my running config now:

Result of the command: "sh run"

: Saved
:
ASA Version 9.0(3)
!
hostname Gustapo
domain-name default.domain.invalid
enable password xxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxx encrypted
names
ip local pool ScopeDHCP 172.23.46.200-172.23.46.205 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif ExtNet
 security-level 1
 ip address dhcp setroute
!
interface Vlan3
 nameif IntNet
 security-level 100
 ip address 172.23.45.253 255.255.255.0
!
boot system disk0:/asa903-k8.bin
ftp mode passive
dns domain-lookup ExtNet
dns domain-lookup IntNet
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network IntIP
 subnet 172.23.45.0 255.255.255.0
 description Internal Network
object network VPNIP
 subnet 172.23.46.0 255.255.255.0
 description VPN Connection
access-list ExtNet_access_in extended permit icmp any4 any4
access-list ExtNet_access_in remark Deny all incoming traffic
access-list ExtNet_access_in extended deny ip any4 any4
access-list IntNet_access_in remark Block PS3 traffic to the Internet
access-list IntNet_access_in extended deny ip host 172.23.45.3 any4
access-list IntNet_access_in extended permit ip any4 any4
access-list nonatacl extended permit ip 172.23.46.0 255.255.255.0 172.23.45.0 255.255.255.0
access-list nonatacl extended permit ip 172.23.45.0 255.255.255.0 172.23.46.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu ExtNet 1500
mtu IntNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (IntNet,ExtNet) source dynamic any interface
nat (ExtNet,ExtNet) source dynamic VPNIP interface inactive
nat (IntNet,any) source static IntIP IntIP destination static VPNIP VPNIP no-proxy-arp inactive
nat (IntNet,ExtNet) source static IntIP IntIP destination static VPNIP VPNIP
access-group ExtNet_access_in in interface ExtNet
access-group IntNet_access_in in interface IntNet
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 444
http 172.23.45.0 255.255.255.0 IntNet
http redirect IntNet 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 172.23.45.0 255.255.255.0 IntNet
ssh timeout 5
console timeout 0

dhcpd auto_config ExtNet
!
dhcpd address 172.23.45.35-172.23.45.50 IntNet
dhcpd dns 208.67.222.222 208.67.220.220 interface IntNet
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable ExtNet
 enable IntNet
 anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 1
 anyconnect enable
group-policy DfltGrpPolicy attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 default-domain value default.domain.invalid
 address-pools value ScopeDHCP
group-policy AnyConnectAccessPolicy internal
group-policy AnyConnectAccessPolicy attributes
 wins-server none
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 default-domain value default.domain.invalid
 address-pools value ScopeDHCP
tunnel-group DefaultRAGroup general-attributes
 address-pool ScopeDHCP
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool ScopeDHCP
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 default-group-policy AnyConnectAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2ecff6c94f746f7254aa4ed3e267758d
: end

 

Hi ,

Remove following NAT Statement 

no nat (ExtNet,ExtNet) source dynamic VPNIP interface
no nat (IntNet,any) source static IntIP IntIP destination static VPNIP VPNIP no-proxy-arp

Final NAT statement should be only two

nat (IntNet,ExtNet) source dynamic any interface ( PAT for internal Network ) 
nat (IntNet,ExtNet) source static IntIP IntIP destination static VPNIP VPNIP  (  No NAT for VPN Subnet ) 

 

HTH

Sandy

 

Nope, still not working.  I even did a clear xlate after I changed the NAT.

Current NAT config:

Result of the command: "sh run nat"
 
nat (IntNet,ExtNet) source dynamic any interface
nat (IntNet,ExtNet) source static IntIP IntIP destination static VPNIP VPNIP