VPN tunnel into Cisco ASA via static NAT from router???

I have a client with a Layered Cisco network solution.   Their Cisco router is public facing and provides a private IP address to the Cisco ASA behind it.
I need to be able to create a VPN tunnel into the ASA.  There are public IP addresses available to be statically NAT'ed to the ASA, one has been selected by the IT person on site and has been translated to an IP address in the network of the ASA but NOT the IP address of the interface connecting the ASA to the Router.
I've configured the VPN on both the ASA and the other end point (a Linksys RV042) and can see both devices attempting to bring up phase one of the tunnel.  The RV042 is complaining about using Main Mode and the ASA seems to be complaining about the network I've set as the local network.

Behind the ASA are multiple additional networks which have static routes back through the ASA into the router.  

I guess my initial question is if it's even possible to NAT a VPN tunnel in this manner.  The IT person on site doesn't seem particularily interested in statically NAT'ing to the interface IP but I suspect this is going to be necessary to bring the tunnel up.

My follow on questions relate to which network on the ASA side to specify as local (IP network of the ASA on the internal side or the one NAT'ted network that I need traffic to pass into) and what ports to allow into the ASA from the static map (I'm currently allowing ESP, ISAKMP and 4500).  

Help appreciated.  I can post a sanitized version of the router and ASA configs ifn they'll be helpful.
winningtechAsked:
Who is Participating?
 
lrmooreCommented:
Hate to say it, but this is ugly....
Bottom line - contact the ISP and get them to give you a /30 ip subnet for the WAN interface so that you can apply your 65.x.x.x/28 subnet to the LAN interface and directly on the ASA outside interface.

ip access-list extended sdm_fastethernet0/0_in
 remark SDM_ACL Category=1
 remark 1
 permit ip any any  <==

Anytime an acl is simply permit ip any any, then DO NOT apply it to an interface. ONLY apply acls when you want to restrict traffic to anything other than ip any any.
Remove all acls from both interfaces, except this one:
 interface Serial0/1/0
 description $ES_WAN$$FW_OUTSIDE$
 ip address 65.x.x.x 255.255.255.248
 ip access-group sdm_serial0/1/0_in in  <== OK to keep this one

>ip nat inside source static 10.254.254.2 67.x.x.x extendable

But, you have to change the acl:
ip access-list extended sdm_serial0/1/0_in
 remark SDM_ACL Category=1
 permit tcp any host 65.46.28.214 eq www
 permit tcp any host 65.46.28.214 eq smtp
 permit tcp any host 65.46.28.214 eq 3389
 remark 2
 permit ip any any <== Remove! Very dangerous!
ADD:
 permit tcp any any established
 permit udp any eq domain any
 permit icmp any any eq echo-reply
 permit icmp any any eq unreachable
 permit icmp any any eq time-exceeded
 permit ip any host 67.x.x.x   <== this is the public IP natted for the outside ASA interface

ASA:
route Inside 10.0.2.0 255.255.255.0 10.254.253.2 1  <==
route Inside 10.0.10.0 255.255.255.0 10.254.253.2 2 <== this gateway can't be both 1 and 2 hops away. They should all be 1

>access-group Inside_access_in in interface Inside
remove this. All traffic outbound is permitted by default

 


0
 
pdabelCommented:
To answer your first question, it is possible to run VPN tunnels on an ASA behind a static NAT.  

In order for the ASA to respond to the IPSEC traffic from the Lynksys router, it needs to be associated with the private address in the NAT statement on the Cisco router.  As you suggested the private address in the static NAT should be the ASA interface address.

When you say the local network on the ASA side, do you mean the network that you want encrypted?

When you assign a cryptomap to an interface, it listens for IPSEC traffic, you don't need to specifically allow that type of traffic in an access-list on the interface.

Hope this helps
0
 
winningtechAuthor Commented:
pdabel,

   Thanks for replyng.  I'll try changing the static nat map on the router so that it points to the ip address of the interface on the ASA which connects to the router.

   Inside the ASA there are several different internal networks.  I only need to encapsulate/encrypt one of them in the VPN tunnel.

   The IP networks look like this:

ASA - Router side:  10.254.254.x
ASA - LAN Side:  10.254.253.x
LAN:  10.0.0.x, 10.0.1.x, 10.0.2.x, 10.0.3.x
 
   Static routes in the ASA take care of routing the LAN network into the ASA LAN side.

    I only need the 10.0.0.x network to pass through the VPN tunnel.  Do I write the VPN ACL to allow traffic from 10.0.0.x to my remote end 10.50.50.x or from the ASA LAN side (10.254.253.x to 10.50.50.x)?

0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
lrmooreCommented:
>Do I write the VPN ACL to allow traffic from 10.0.0.x to my remote end 10.50.50.x
Yes

Sanitized version of config will be good.
0
 
winningtechAuthor Commented:
Sorry for the delay in replying.  So many projects this month, so little time to work on other things.

I think I'm making some progress on getting the tunnel up.  With a little help from Cisco the VPN tunnel will start build but the remote endpoint (a Linksys RV042) seems to see the traffic comming from the ASA as the iIP address of it's outside interface (private IP) address rather than the IP address which is statically NAT'ed at the router (Public IP).

Am attaching the RV042's log, the Router config and the ASA config below.  The local IT gent received lots of help from Cisco with the ASA config.  That means I didn't write it and do not have a complete grasp on why it was written as it is.  It does work as intended for everything other than the VPN tunnel...

Linksys RV042's VPN Log:

Aug 16 13:53:06 2007     VPN Log    Ignoring Vendor ID payload Type = [Cisco-Unity]  
Aug 16 13:53:06 2007     VPN Log    Ignoring Vendor ID payload Type = [XAUTH]  
Aug 16 13:53:06 2007     VPN Log    Ignoring Vendor ID payload [60819f6505263398...]  
Aug 16 13:53:06 2007     VPN Log    Ignoring Vendor ID payload [1f07f70eaa6514d3...]  
Aug 16 13:53:06 2007     VPN Log    [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet  
Aug 16 13:53:07 2007     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet  
Aug 16 13:53:07 2007     VPN Log    Received Vendor ID payload Type = [Dead Peer Detection]  
Aug 16 13:53:07 2007     VPN Log    [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet  
Aug 16 13:53:07 2007     VPN Log    Main mode peer ID is ID_IPV4_ADDR: '10.254.254.2'  
Aug 16 13:53:07 2007     VPN Log    We require peer to have ID '67..x.x.x, but peer declares '10.254.254.2'  
Aug 16 13:53:09 2007     VPN Log    Initiating Main Mode  

Router config:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CERouter1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$p8rp$U6QUkzgK08JpT3DJn8BNW/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -7
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip domain name corbinselectric.local
!
username router_root privilege 15 secret 5 $1$wrMT$sZUtefpoAkqwm4gp2j30V/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 10.254.254.1 255.255.255.0
 ip access-group sdm_fastethernet0/0_in in
 ip access-group sdm_fastethernet0/0_out out
 no ip redirects
 no ip unreachables
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/1/0
 description $ES_WAN$$FW_OUTSIDE$
 ip address 65.x.x.x 255.255.255.248
 ip access-group sdm_serial0/1/0_in in
 ip access-group sdm_serial0/1/0_out out
 no ip redirects
 no ip unreachables
 ip nat outside
 encapsulation ppp
 ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 10.0.0.0 255.255.255.0 10.254.254.2 2
ip route 10.0.0.220 255.255.255.255 10.254.254.2 2
ip route 10.0.1.0 255.255.255.0 10.254.254.2 2
ip route 10.0.2.0 255.255.255.0 10.254.254.2 2
ip route 10.0.3.0 255.255.255.0 10.254.254.2
ip route 10.0.10.0 255.255.255.0 10.254.254.2 3
ip route 10.0.11.0 255.255.255.0 10.254.254.2 3
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 5 interface Serial0/1/0 overload
ip nat inside source static 10.254.254.2 67.x.x.x extendable
ip nat inside source static 10.254.254.467.x.x.x
ip nat inside source static 10.254.254.3 67.x.x.x
!
ip access-list extended sdm_fastethernet0/0_in
 remark SDM_ACL Category=1
 remark 1
 permit ip any any
ip access-list extended sdm_fastethernet0/0_out
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended sdm_serial0/1/0_in
 remark SDM_ACL Category=1
 permit tcp any host 65.46.28.214 eq www
 permit tcp any host 65.46.28.214 eq smtp
 permit tcp any host 65.46.28.214 eq 3389
 remark 2
 permit ip any any
ip access-list extended sdm_serial0/1/0_out
 remark SDM_ACL Category=1
 permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.254.254.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.0.0.0 0.0.255.255
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 10.0.3.0 0.0.0.255
access-list 4 permit 10.0.10.0 0.0.0.255
access-list 4 permit 10.0.0.0 0.0.0.255
access-list 5 permit 10.254.254.2
access-list 5 remark SDM_ACL Category=2
access-list 5 permit 10.0.3.0 0.0.0.255
access-list 5 permit 10.0.0.0 0.0.0.255
access-list 5 permit 10.0.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
end

CERouter1#


The ASA's config (sanitized)

ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name corbinselectric.local
names
dns-guard
!
interface Ethernet0/0
 description Outside Interface
 nameif Outside
 security-level 0
 ip address 10.254.254.2 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 90
 ip address 10.254.253.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.0.3.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
 domain-name corbinselectric.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TeleworkerPhones udp
 description Teleworker ports.
 port-object range 20000 23000
 port-object range 3999 3999
 port-object range 3300 3300
 port-object eq tftp
 port-object range 1024 65535
object-group service TeleworkerPhonesTCP tcp
 port-object eq 2114
 port-object eq 2116
 port-object eq 3300
 port-object eq 35000
 port-object eq 37000
 port-object eq https
 port-object eq ssh
 port-object range 6801 6802
object-group service Ports tcp
 description Ports
 port-object range 1 1024
access-list Inside-Default_access_out_V1 extended permit ip any any
access-list Inside-Default_access_out extended permit ip any any
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq www
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq smtp
access-list Outside_access_in extended permit tcp any host 10.254.254.2 eq 3389
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq citrix-ica
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq www
access-list Outside_access_in extended permit udp any object-group TeleworkerPhones host 10.254.254.4 object-group TeleworkerPhones
access-list Outside_access_in extended permit tcp any host 10.254.254.4 object-group TeleworkerPhonesTCP
access-list Outside_access_in extended permit udp any host 10.254.254.2 eq isakmp
access-list Outside_access_in extended permit esp any host 10.254.254.2
access-list Outside_access_in extended permit udp any host 10.254.254.2 eq 4500
access-list Outside_access_in extended permit tcp any any eq ssh
access-list Outside_access_in extended permit tcp any host 10.254.254.3 eq 2598
access-list DMZ_access_in extended permit tcp host 10.0.3.2 any
access-list IPS extended permit ip any any
access-list Inside-Default_access_in extended permit ip any any
access-list DMZ_access_in_1 extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list Inside-PhoneSubnet_access_in extended permit ip any any
access-list Inside-Default_access_in_1 extended permit ip any any
access-list Outside_access_out extended permit ip any any
access-list Inside-Default_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list Inside-Default_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Inside-Default_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list Inside-Default_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list Inside-PhoneSubnet_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Inside-PhoneSubnet_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list Inside-PhoneSubnet_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list Inside_access_in extended permit ip any any
access-list Inside_access_out extended permit ip any any
access-list ICMP_Traffic extended permit icmp any any
access-list Ouside_access_in extended permit tcp any host 10.254.254.4 object-group TeleworkerPhonesTCP
access-list management_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.50.50.0 255.255.255.0
access-list Outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.50.50.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging mail errors
logging from-address cisco@corbinselectric.com
logging recipient-address r.gruver@corbinselectric.com level alerts
mtu Outside 1500
mtu DMZ 1500
mtu management 1500
mtu Inside 1500
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (management) 0 access-list management_nat0_outbound
static (Inside,Outside) tcp interface smtp 10.0.0.220 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface 3389 10.0.0.212 3389 netmask 255.255.255.255
static (Inside,Outside) tcp interface www 10.0.0.220 www netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 www 10.0.0.200 www netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 citrix-ica 10.0.0.200 citrix-ica netmask 255.255.255.255
static (Inside,Outside) tcp 10.254.254.3 2598 10.0.0.200 2598 netmask 255.255.255.255
static (DMZ,Outside) 10.254.254.4 10.0.3.2 netmask 255.255.255.255
static (DMZ,Inside) 67.x.x.x 10.0.3.2 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in_1 in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 10.254.254.1 1
route Inside 10.0.0.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.1.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.2.0 255.255.255.0 10.254.253.2 1
route Inside 10.0.10.0 255.255.255.0 10.254.253.2 2
route Inside 10.0.11.0 255.255.255.0 10.254.253.2 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 207.119.95.19
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set security-association lifetime seconds 86400
crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group 207.x.x.x type ipsec-l2l
tunnel-group 207.x.x.x ipsec-attributes
 pre-shared-key *
telnet 192.168.1.0 255.255.255.0 management
telnet 10.0.0.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map IPS
 match any
!
!
policy-map IPS
 description IPS usage
 class IPS
  ips inline fail-open
!
service-policy IPS interface Outside
ntp server 10.0.0.212 prefer
smtp-server 10.0.0.220
prompt hostname context
Cryptochecksum:2423bcd863728483abb92cd72804415e
: end
ciscoasa# $
0
 
winningtechAuthor Commented:
lrmoore -

I agree, it's ugly and hard to parse through.  I'm the poor slob trying to get things to work with it though :)

If I understand you correctly you're suggesting obtaining an additional public IP range, applying it to the outside interface on the Router, apply the 65.x.x.x/28 subnet to the inside interface on the router and outside interface on the ASA?

This is the way I've done this in other locations and it works well.  Just want to be sure I'm understanding you correctly.

0
 
lrmooreCommented:
Exactly. All you need is a /30 for the T1 interface
You could try using ipunnumbered on the serial and still put the 65.x.x.x on the LAN and ASA, but a dedicated IP is better. Unnumbered example:

interface serial 0/1/0
 no ip nat outside
 ip unnumbered fast 0/0
interface fast 0/0
 ip address 65.x.x.x 255.255.255.248
 no ip nat inside
0
 
winningtechAuthor Commented:
Gents,

   Thanks again.  I'm going to go ahead and award points to both respondants, a few more to lrmoore but his comments were more applicable to the situation.

   I'm not local to this client so am going to have to work out a time when he can be on site after hours with a laptop/cellular card so I can make the config changes remotely or arrange travel to the site (their dime).   It may be up to a week before I'll get this done but I'm confident that one of the solutions will work.

Thanks again!
0
 
lrmooreCommented:
Thanks! Post back to let us know how you get on...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.