Solved

Need help setting up NAT through VPN tunnel

Posted on 2008-06-18
26
1,990 Views
Last Modified: 2012-06-22
I've run across an issue where I suspect I need to NAT IP addresses through a VPN tunnel that uses a Cisco ASA-5510 on my side of the tunnel and ends on the consultant's side of the tunnel on a VPN 3000 concentrator.

Setting up the VPN tunnel is easy for me - I've done this before and have no problem with it. At issue is, the internal IP address we use on our internal network is the same as our consultants main headquarter network - it's aa.cc.4.0 to aa.cc.7.255 (255.255.252.0 mask).

I know you can do NAT to a physical interface of an ASA-5510, but can you use NAT to be applied to our internal subnet to a specific IP like 192.168.100.0 ? (or maybe 192.168.0.1) that then can be pushed through the VPN tunnel to the other side? If so, is there anything that the consultant needs to do with the NAT'ed IP address once it get's through the Concentrator? I don't believe they have to, just set an access rule to let that NAT'ed IP through.

We need this working so our people can access terminal server sessions on the consultant's network. All other sites are working, but here with this one site, I can implement the access-list rule to the tunnel since we have the IP conflict. Short of changing our subnet IP segment on our side, is there a solution?
0
Comment
Question by:mkupec
  • 14
  • 12
26 Comments
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21820799
You can either do a 1:1 NAT, so that you NAT aa.cc.4.0-aa.cc.7.255 into say 192.168.4.0-192.168.7.255, or you can do a PAT where you use 1 single address for it all.
In either case the consultant will have to setup his tunnel as if your network was indeed the NATed or PATed address(es).

With the PAT, traffic can only be initiated from your side though.  (I suppose it would be possible to do port forwards on this, just as with an Internet PAT but I haven't ried that.)

---

But you have another issue.  You can't access his network by their addresses, if those appear local to you.  So you also need to NAT those.  (Unless the consultant will).


Could you specify who needs to reach what, so it will be easier to make examples?
0
 

Author Comment

by:mkupec
ID: 21820893
Got to be bi-directional in that we need to access their Citrix Terminal Servers with the Citrix Client and they have to send printer reports back to printers on our network. What we're doing is using Team Approach from Target Software (http://www.targetsite.com/features.htm) which requires access back and forth between our clients and their software package. Reports and such get send back through the tunnel to our printers.

Your first example with us using a 1:1 NAT seems to do what we need to do, but I just don't understand the details in how this is done via PIX commands.

Thanks for the help!
0
 

Author Comment

by:mkupec
ID: 21820963
Here's a bit of the PIX code from our site that does NOT need NAT.

At this site our internal IP address segment is aa.d.4.0 to 10.1.7.(255 255.255.252.0  mask) The inside interface on this PIX shows a aa.eee.5.1 IP because we internally route it to aa.d.4.0 segment. At the site listed below, we do not have an internal router so the inside interface is thegateway for that network (i.e: iinside interface of ASA-5510 is aa.cc4.1) Hopefully I'm making sense here.

The site we're having issues is using an internal IP segment of aa.cc.4.0 to aa.cc.7.255 (255.255.252.0 mask)  At this site they have suggested we use 192.160.100.0 as the subnet with the NAT translation. I believe we can get away with using 192.168.0.0 to 192.168.3.255 and do a 1:1 NAT as you described.
: Saved
:
ASA Version 7.1(2) 
!
hostname CCVA-ASA
domain-name mydomain.com
enable password xxxxx encrypted
names
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address aa.126.aa.69 255.255.255.224 
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address aa.cc.4.1 255.255.252.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 shutdown
 nameif voiplan
 security-level 90
 ip address aa.ddd.4.5 255.255.252.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd ptH2NfxurA.yL2mX encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name mydomain.com
 
access-list inside_to_outside extended permit ip any any 
access-list inside_to_outside extended permit icmp any any 
 
access-list acl_outside extended permit esp any any 
access-list acl_outside extended permit ah any any 
access-list acl_outside extended permit udp any any 
access-list acl_outside extended permit icmp any any echo 
access-list acl_outside extended permit icmp any any echo-reply 
 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.f.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.g.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..5.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..8.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..11.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..12.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..13.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..14.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv..28.0 255.255.252.0 
access-list nonat extended permit ip any aa.cc.4.0 255.255.255.0 
 
access-list vpnwdc extended permit ip aa.cc.4.0 255.255.252.0 aa.b.4.0 255.255.252.0 
 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.5.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.8.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.11.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.12.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.13.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.14.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.28.0 255.255.252.0 
 
access-list vpndal extended permit ip aa.cc.4.0 255.255.252.0 aa.g.4.0 255.255.252.0 
 
access-list targetvpn extended permit ip 192.168.100.0 255.255.252.0 aa.bbb.0.0 255.255.252.0 
 
pager lines 24
 
logging asdm informational
 
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu voiplan 1500
 
icmp permit any unreachable outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-512.bin
no asdm history enable
 
arp timeout 14400
 
global (outside) 1 aa.aaa.23.70
 
nat (inside) 0 access-list nonat
nat (inside) 1 aa.cc.4.0 255.255.252.0
 
static (inside,outside) 192.168.100.0  access-list targetvpn 
 
access-group acl_outside in interface outside
access-group inside_to_outside in interface inside
 
route outside 0.0.0.0 0.0.0.0 xxx.xxx.23.65 1
 
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
 
aaa-server CCVA_Domain protocol nt
aaa-server CCVA_Domain host 10.13.5.1
 nt-auth-domain-controller 10.13.5.1
 
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec webvpn
 webvpn
  svc enable
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
 
http server enable
http aa.c.4.0 255.255.255.255 inside
http aa.cc.4.0 255.255.252.0 inside
http 192.168.1.0 255.255.255.0 management
 
snmp-server host inside aa.cc.4.50 community usccccva
snmp-server location US 
snmp-server contact FName LName 703-555-1212
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
 
service resetinbound
service resetoutside
 
crypto ipsec transform-set ccva esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
 
crypto map vpnccva 10 match address vpnwdc
crypto map vpnccva 10 set peer xxx.3.xxx.10 
crypto map vpnccva 10 set transform-set ccva
 
crypto map vpnccva 30 match address vpnorl
crypto map vpnccva 30 set peer aa.240.aaa.150 
crypto map vpnccva 30 set transform-set ccva
 
crypto map vpnccva 50 match address vpndal
crypto map vpnccva 50 set peer bb.bbb.211.8 
crypto map vpnccva 50 set transform-set ccva
 
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer cc.ccc.206.76 
crypto map vpnccva 70 set transform-set ccva
 
crypto map vpnccva 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnccva interface outside
 
isakmp identity address 
isakmp enable outside
 
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
 
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 10
 
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 10
 
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CCVA_Domain
 dhcp-server aa.cc.5.10
 
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server aa.cc.5.1 master timeout 2 retry 2
 
tunnel-group xxx.3.xxx.10 type ipsec-l2l
tunnel-group xxx.3.xxx.10 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group aa.aaa.226.150 type ipsec-l2l
tunnel-group aa.aaa.226.150 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group bb.bbb.211.8 type ipsec-l2l
tunnel-group bb.bbb.211.8 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group-map enable rules
 
no vpn-addr-assign aaa
no vpn-addr-assign local
 
telnet aa.c.4.0 255.255.252.0 inside
telnet aa.cc.4.0 255.255.252.0 inside
telnet timeout 5
 
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
 
console timeout 60
 
dhcpd address 192.168.1.2-192.168.1.21 management
dhcpd dns ccc.ccc.3.65 ccc.ccc.2.65
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp server 192.x.xx.41 source outside prefer
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.1.1.45-k9.pkg
 svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
 svc enable
 url-list CCVA_VPN "CCVADC01" cifs://aa.cc.5.1 1
Cryptochecksum:7ddfa4ea235ba063a2af47836cfb1050
: end

Open in new window

0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21821440
It wouldn't be too different than a regular setup, but as mentioned you'll have to NAT the other end too.

Cuz otherwise your machine would attempt local access.  Is the consultant range that you need to access exactly that same size?  aa.cc.4-7?  And what would it be fitting for you to NAT that into?
0
 

Author Comment

by:mkupec
ID: 21821591
Not sure what the consultant's range would be. I was under the impression we could nat 1:1 the aa.cc.4.0 to aa.cc.7.255 IP addresses to 192.168.100.0 to 192.168.103.255 but I'm confused as to how they would handle printing to our aa.cc.x.x printers back at our location. Their printing would be from Unix/Oracle machines so it would definitely be via IP.  

I know on their end they have a Cisco VPN3000 box. Not sure exact model, but that is what they will be using. If I can get the code set right for the 1:1 NAT translation on our side, maybe I can see what they need to do from their side, but for now, all I know is my tunnel ends on their side at a VPN3000 box and not sure what they do with the IP addresses I send them. I'll shoot them and email and see what they do with the working DC config (uses aa.b.1.x subnet) and how they would handle a 1:1 NAT range of 192.168.100.0 to 192.168.103.255 if i was to set that up..  
0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21821650
The problem is that if your machine has IP aa.cc.4.X, and you need to reach a machine at the consultant's end with aa.cc.4.Y, your machine will think it is local.
And truth is you MIGHT actually have a machine locally with aa.cc.4.Y - and your machine won't know it's being NATed later on, so that will have no effect on that.
Do you see the problem?  You can't ignore that part...

Likewise the consultant will have to print to 192.168.x.y - this will then be translated at your ASA into the proper aa.cc.x.y.
0
 

Author Comment

by:mkupec
ID: 21821708
I don't believe they use the aa.cc.4.x within their local network - it's their corporate site that uses it, or has it withint their IP segment. So if they send something to aa.cc.4.50 it will go to their corporate, but one we get this 1:1 NAT problem solved, if they do a 192.168.100.50 then it sould resolve back to us as aa.cc.4.50.

Am I correct in this assumption?

I'm sending an email to them just to make sure. If so, just what statement do I need to add to do the 1:1 NAT?

Thanks again for your rapid responses & you time responding!!! I would have done this through my Cisco TAC account, but I'm really getting frustrated but the low caliber help I've gotten from them recently.
0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21821777
Ok, but they must have some network that you need to reach.  Lets call it aa.c.1.0/24 then.

access-list polnat permit ip 10.13.4.0 255.255.252.0 10.1.1.0 255.255.255.0
static (inside,outside) 192.168.4.0 access-list polnat netmask 255.255.252.0

And you (ofcuz) need to make certain you don't make NAT exemption for this connection, as you'd normally do for VPNs.
0
 

Author Comment

by:mkupec
ID: 21823601
Don't believe I have NAT exempted for the connection.

If it's explicitly implied or it's not seen in the code snippet I posted, can you list the command to make sure that NAT isn't exempted from the VPN tunnel.

I'll also check the Cisco Docs for the ASA and see what it has to say aboutthe NAT Exemption and how to change it.
0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21823629
I don't know any of the addys ofcuz, but the following is the configured NAT exemption for that device:

access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.1.0 255.255.255.0
nat (inside) 0 access-list nonat
0
 

Author Comment

by:mkupec
ID: 21823896
Damn! What an ID-10T I am!  Of course, the nonat permit statements - yes I'll add those when building the access list - I normally look at those as givens when doing access list entries. Was told when trained on PIX's that the "nonat permit" (now seems to be nonat extended permit) was required for every access list statement you create, just didn't realize I was actually enabling NAT over a VPN tunnel when entering these.

I'll give it a try this evening when everyone goes home and let you know how it works.

Thanks again for the help!
0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21824107
Those are not as such enabling NAT, they are preventing it :)
But they do work as translations still.

But in this particular case (where you need NAT), you shouldn't have entries for the traffic in the nonat stuff.

In the configuration above they are needed, since they would otherwise be NATed into "global (outside) 1 xxx.3.xxx.20".  But as that is usually the case, I am just warning you not to create nonat entries for traffic that SHOULD be NATed :)  I hope it all makes sense..

Otherwise post the config you plan to use (when you have all the info), and I'll help ya out.
0
 

Author Comment

by:mkupec
ID: 21825003
Will do.
BTW - I just found out that somehow the folks at Target have to be able to get back into our aa.cc.4.x subnet. Partly for printing to printers on that subnet and partly for accessing a access database on a server in our aa.cc.4.x network. problem is, they will be accesing IP segment 192.168.100.x since if they try aa.cc,.4.x they will be accessing their own corporate network.

(Dang these classless IP's!)

The NAT on our end won't be able to reverse NAT IP addresses from their end will it?

That is, if they need to access a server at IP address aa.cc.4.5 from their side, then it should be able to originate a connection from 192.168.100.5 to that IP using our ASA's NAT statement to do the change.  Correct?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21825055
If you from your side NAT aa.cc.4.5 into 192.168.100.5 via a static, it will be bi-directional.  So it will work fine for what you need.
To the consultant, 192.168.100 will be all there exists. (And it will be properly "untranslated" on your side).
0
 

Author Comment

by:mkupec
ID: 21827985
OK, here are the entries I used for this setup:


:
: Create Access-List entries
:

access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0

access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0


:
: this statement already in ASA
:
nat (inside) 0 access-list nonat


:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat netmask 255.255.252.0


:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetnat
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva


:
: Create Tunnel
:

tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
 pre-shared-key xcg13Aq22
 isakmp keepalive threshold 120 retry 10


Everything above was accepted except the static translation. The ASA kept coming back that the netmask was incorrect.  I tried 255.255.255.255  255.255.255.0 and 255.255.252.0 and none worked.

So what did I miss?

:
: below is access list statement
:
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
 
:
: next to last two nonat statements below are for Target (aa.c.0.0 & aa.bb.0.0)
:
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.f.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.5.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.8.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.11.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.12.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.13.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.14.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.28.0 255.255.252.0 
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
access-list nonat extended permit ip any aa.cc.4.0 255.255.255.0 
 
.
.
.
 
icmp permit any unreachable outside
icmp permit any echo-reply outside
 
arp timeout 14400
 
global (outside) 1 zz.zzz.23.70
 
nat (inside) 0 access-list nonat
nat (inside) 1 aa.cc.4.0 255.255.252.0
 
access-group acl_outside in interface outside
access-group inside_to_outside in interface inside
 
route outside 0.0.0.0 0.0.0.0 zz.zzz.23.65 1
 
.
.
.
 
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec webvpn
 webvpn
  svc enable
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
.
.
.
 
crypto ipsec transform-set ccva esp-3des esp-md5-hmac 
 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
 
crypto map vpnccva 10 match address vpnwdc
crypto map vpnccva 10 set peer xxx.3.xxx.10 
crypto map vpnccva 10 set transform-set ccva
 
crypto map vpnccva 30 match address vpnorl
crypto map vpnccva 30 set peer vv.vvv.226.150 
crypto map vpnccva 30 set transform-set ccva
 
crypto map vpnccva 50 match address vpndal
crypto map vpnccva 50 set peer aa.aaa.211.8 
crypto map vpnccva 50 set transform-set ccva
 
:
: Below is Crypto Maping to Target 
:
crypto map vpnccva 70 match address targetnat
crypto map vpnccva 70 set peer yy.yyy.206.76 
crypto map vpnccva 70 set transform-set ccva
 
crypto map vpnccva 65535 ipsec-isakmp dynamic outside_dyn_map
 
crypto map vpnccva interface outside
 
isakmp identity address 
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
 
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 10
 
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 10
 
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CCVA_Domain
 dhcp-server aa.cc.5.10
 
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server aa.cc.5.1 master timeout 2 retry 2
 
tunnel-group xxx.3.xxx.10 type ipsec-l2l
tunnel-group xxx.3.xxx.10 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group vv.vvv.226.150 type ipsec-l2l
tunnel-group vv.vvv.226.150 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group aa.aaa.211.8 type ipsec-l2l
tunnel-group aa.aaa.211.8 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
:
: Below is new VPN tunnel to Target
:
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group-map enable rules
 
no vpn-addr-assign aaa
no vpn-addr-assign local

Open in new window

0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21829297
Are 1aa.c.0 & aa.bb.0 the networks at the consultant?

Ya, my bad.  You don't use netmask when you use access-list, the netmask is already in the access-list.  So just skip the netmask part.

You can't reuse the NAT access-list in the crypto config though.  Cuz the tunnel will have to be defined for the NATed traffic.

access-list targetvpn permit ip 192.168.4.0 255.255.252.0 10.1.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 10.51.0.0 255.255.252.0

And then match that in the crypto config instead.
0
 

Author Comment

by:mkupec
ID: 21830755
OK, so would below be correct entries?

:
: Create Access-List entries
:

access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip 1aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0

access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0

access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0


:
: this statement already in ASA
:
nat (inside) 0 access-list nonat


:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat netmask 255.255.252.0


:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva

0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21831608
>static (inside,outside) 192.168.4.0 access-list targetnat netmask 255.255.252.0
This one should be without the netmask part.
<static (inside,outside) 192.168.4.0 access-list targetnat

>access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
>access-list nonat extended permit ip aa.c.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
I can't see why you'd need these.. Do you have a aa.c.4.0 network at this site?  (I thought that was at another site..)
0
 

Author Comment

by:mkupec
ID: 21831817
Should have been:

access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc..4.0 255.255.252.0 aa.bb.0.0 255.255.252.0

And yes, I forgot to strip off the mask on the static.

I'll give the above a try (with changes just noted)  and see what happens.
0
 

Author Comment

by:mkupec
ID: 21831885
OK - here is what I tried applying:


:
: Create Access-List entries
:

access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0

access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0

access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0

:
: this statement already in ASA
:
nat (inside) 0 access-list nonat


:
: Add Static Mapping
:
static (inside,outside) 192.168.4.0 access-list targetnat

:
: Set Up Crypto Map
:
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer yy.yyy.206.76
crypto map vpnccva 70 set transform-set ccva

:
: Create Tunnel
:

tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
 pre-shared-key xcg13Aq22
 isakmp keepalive threshold 120 retry 10


I get an error when I apply the last thing - the static statement.

Error is:

INFO: Global address overlaps with NAT exempt configuration

0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21832148
You shouldn't include these 2:

access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.0.0 255.255.252.0
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0

And that is likely also the reason for the error you get.  You state you want it NATed into X, but also that it should bypass NAT.  Remove the latter (by removing those 2 access-lists above).
0
 

Author Comment

by:mkupec
ID: 21833570
OK attached is the complete ASA config as it stands.

Adding the static entry still generates the INFO message.

Can't currently ping one of the devices on the aa.bb.1.xxx subnet that I can get from two other sites.

Am I still missing something?
: Saved
:
ASA Version 7.1(2) 
!
hostname CCVA-ASA
domain-name mydomain.com
enable password xxxxx encrypted
names
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address aa.126.aa.69 255.255.255.224 
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address aa.cc.4.1 255.255.252.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 shutdown
 nameif voiplan
 security-level 90
 ip address aa.ccc.4.5 255.255.252.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd ptH2NfxurA.yL2mX encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name mydomain.com
 
access-list inside_to_outside extended permit ip any any 
access-list inside_to_outside extended permit icmp any any 
 
access-list acl_outside extended permit esp any any 
access-list acl_outside extended permit ah any any 
access-list acl_outside extended permit udp any any 
access-list acl_outside extended permit icmp any any echo 
access-list acl_outside extended permit icmp any any echo-reply 
 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.c.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 aa.f.4.0 255.255.252.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.5.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.8.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.11.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.12.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.13.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.14.0 255.255.255.0 
access-list nonat extended permit ip aa.cc.4.0 255.255.252.0 www.vv.28.0 255.255.252.0 
access-list nonat extended permit ip any aa.cc.4.0 255.255.255.0 
 
access-list vpnwdc extended permit ip aa.cc.4.0 255.255.252.0 aa.c.4.0 255.255.252.0 
 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 aa.d.4.0 255.255.252.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.2.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.3.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.5.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.8.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.11.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.12.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.13.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.14.0 255.255.255.0 
access-list vpnorl extended permit ip aa.cc.4.0 255.255.252.0 www.vv.28.0 255.255.252.0 
 
access-list vpndal extended permit ip aa.cc.4.0 255.255.252.0 aa.f.4.0 255.255.252.0 
 
access-list targetvpn extended permit ip 192.168.100.0 255.255.252.0 aa.bb.0.0 255.255.252.0 
 
pager lines 24
 
logging asdm informational
 
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu voiplan 1500
 
icmp permit any unreachable outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-512.bin
no asdm history enable
 
arp timeout 14400
 
global (outside) 1 aa.aaa.23.70
 
nat (inside) 0 access-list nonat
nat (inside) 1 aa.cc.4.0 255.255.252.0
 
static (inside,outside) 192.168.100.0  access-list targetvpn 
 
access-group acl_outside in interface outside
access-group inside_to_outside in interface inside
 
route outside 0.0.0.0 0.0.0.0 xx.xxx.23.65 1
 
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
 
aaa-server CCVA_Domain protocol nt
aaa-server CCVA_Domain host aa.cc.5.1
 nt-auth-domain-controller aa.cc.5.1
 
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec webvpn
 webvpn
  svc enable
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
 
http server enable
http aa.c.4.0 255.255.255.255 inside
http aa.cc.4.0 255.255.252.0 inside
http 192.168.1.0 255.255.255.0 management
 
snmp-server host inside aa.cc.4.50 community usccccva
snmp-server location US 
snmp-server contact FName LName 703-555-1212
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
 
service resetinbound
service resetoutside
 
crypto ipsec transform-set ccva esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
 
crypto map vpnccva 10 match address vpnwdc
crypto map vpnccva 10 set peer xxx.3.xxx.10 
crypto map vpnccva 10 set transform-set ccva
 
crypto map vpnccva 30 match address vpnorl
crypto map vpnccva 30 set peer aa.240.aaa.150 
crypto map vpnccva 30 set transform-set ccva
 
crypto map vpnccva 50 match address vpndal
crypto map vpnccva 50 set peer bb.bbb.211.8 
crypto map vpnccva 50 set transform-set ccva
 
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer cc.ccc.206.76 
crypto map vpnccva 70 set transform-set ccva
 
crypto map vpnccva 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnccva interface outside
 
isakmp identity address 
isakmp enable outside
 
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
 
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 10
 
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 10
 
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CCVA_Domain
 dhcp-server aa.cc.5.10
 
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server aa.cc.5.1 master timeout 2 retry 2
 
tunnel-group xxx.3.xxx.10 type ipsec-l2l
tunnel-group xxx.3.xxx.10 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group aa.aaa.226.150 type ipsec-l2l
tunnel-group aa.aaa.226.150 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group bb.bbb.211.8 type ipsec-l2l
tunnel-group bb.bbb.211.8 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group yy.yyy.206.76 type ipsec-l2l
tunnel-group yy.yyy.206.76 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
 
tunnel-group-map enable rules
 
no vpn-addr-assign aaa
no vpn-addr-assign local
 
telnet aa.c.4.0 255.255.252.0 inside
telnet aa.cc.4.0 255.255.252.0 inside
telnet timeout 5
 
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
 
console timeout 60
 
dhcpd address 192.168.1.2-192.168.1.21 management
dhcpd dns ccc.ccc.3.65 ccc.ccc.2.65
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp server 192.x.xx.41 source outside prefer
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.1.1.45-k9.pkg
 svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
 svc enable
 url-list CCVA_VPN "CCVADC01" cifs://10.13.5.1 1
Cryptochecksum:7ddfa4ea235ba063a2af47836cfb1050
: end

Open in new window

0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21833736
Now you have re-used the same access-list again, just the other way around.  You can't reuse here.  You MUST have 2 access-lists.

no static (inside,outside) 192.168.100.0  access-list targetvpn
access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.0.0 255.255.252.0
static (inside,outside) 192.168.100.0  access-list targetnat

---

But in order for it to work completely, the remote end must have been setup to tunnel 192.168.100.0 255.255.252.0 - do you know if they did that?

You can verify the NAT part tho, after making the changes above..

debug icmp trace
(Now you try to ping from a machine to some aa.bb.1.x address, and you should see the results on the ASA terminal)
no debug all
0
 

Author Comment

by:mkupec
ID: 21833832
OK - NOW I See where I'm screwing up.

So this is what I'll have:

access-list targetvpn permit ip 192.168.4.0 255.255.252.0 aa.bb.1.0 255.255.255.0

access-list targetnat permit ip aa.cc.4.0 255.255.252.0 aa.bb.1.0 255.255.255.0

static (inside,outside) 192.168.100.0  access-list targetnat

with first access-list associated to the VPN tunnel and seond one associated to the NAT

Did that and I can now ping aa.bb.1.136!

BTW: I found out that the aa.bb.0.0 really should have been aa.bb.1.0 so I changed that as you see above.

Now I see how both access-lists and the NAT are associated with each other.

FWIW: when adding the above, I still get the message:

INFO: Global address overlaps with NAT exempt configuration

It's an INFO message from the ASA and not an error. Everything else still seems to work so I'm not worried about it.


0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 500 total points
ID: 21833909
You have used 192.168.4 in the access-list, but 192.168.100 in the static - those should of cuz match.  But since you say it's working, I assume they are matching in the config, and only a typo here in the post.

It's not uncommon to have the ASA worn about overlaps when working with various types of NAT, they can usually be ignored.  I do wonder why it claims it's with the NAT exemption though.  Perhaps it's this one:

access-list nonat extended permit ip any aa.cc.4.0 255.255.255.0

Which I wonder what use servers.  Initially I thought it was for dynamic VPN, but I can't see any VPN pools in the config.
0
 

Accepted Solution

by:
mkupec earned 0 total points
ID: 21833934
OK - looks like all is playing well.

I've got access lists working for their aa.c.0.0 and aa.bb.1.0 subnets and I can ping devices on that end.

Letting them check everything from their side but it looks like all is OK.

Thanks again from a dense knucklehead that kept mixing things up!  

Nice thing is - I did learn something else new with the ASA/PIX that before I didn't know.

Have a great weekend!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now