?
Solved

Multi-Site L2L, RA set up needs new NAT'd L2L (Overlapping Networks)

Posted on 2008-11-17
10
Medium Priority
?
645 Views
Last Modified: 2012-05-06
Cisco ASA 5510 needs a 4th L2L config, but the exiting traffic from my LAN needs to be NAT'd, since the network on the other end is similar, and overlaps. I've read a couple of articles at Cisco that relate to this, but am a bit confused.

My configuration is in the code snippet below (addresses are real, but not mine ;P).

I think I need to add something similar to this, assuming the other site's WAN address is 1.2.3.4, my internal net is 10.10.10.0/24 and their internal net is 10.128.0.0 255.0.0.0:

access-list new extended permit ip 172.18.1.0 255.255.255.0 10.128.0.0 255.0.0.0
access-list new-nat extended permit ip 10.10.10.0 255.255.255.0 10.128.0.0 255.0.0.0
static (inside,outside) 172.18.1.0  access-list new-nat
global (outside) 2 172.19.1.1
nat (inside) 2 access-list new
crypto map mymap 50 match address new
crypto map mymap 50 set peer 1.2.3.4
crypto map mymap 50 set transform-set myset
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key *
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
interface Ethernet0/0
 description Internet Interface
 nameif outside
 security-level 0
 ip address 69.129.2.146 255.255.255.252 
 ospf cost 10
!
interface Ethernet0/1
 description IBS Lan Interface
 nameif inside
 security-level 100
 ip address 10.10.10.5 255.255.255.0 
 ospf cost 10
!
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 199.2.67.0 255.255.255.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.128.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.129.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.130.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.131.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.132.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.133.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.134.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.135.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.136.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.137.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.138.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.139.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.140.0.0 255.255.0.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 199.2.67.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 172.23.16.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.2.1.0 255.255.255.0 
access-list 110 extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list capin extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list capin extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list Staff_splitTunnelAcl extended permit ip 172.23.16.0 255.255.255.0 any 
access-list Staff_splitTunnelAcl extended permit ip 10.10.10.0 255.255.255.0 172.23.16.0 255.255.255.0 
access-list vendor_splitTunnelAcl extended permit ip 10.10.11.0 255.255.255.0 any 
access-list vendor_splitTunnelAcl extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0 
access-list outside_40_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.2.0.0 255.255.0.0 
ip local pool michigan 10.10.11.60-10.10.11.110 mask 255.255.255.0
ip local pool Staff 172.23.16.1-172.23.16.19 mask 255.255.255.0
ip verify reverse-path interface outside
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 69.129.2.145 1
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map dynmap 1 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 207.250.8.8 
crypto map mymap 10 set transform-set myset
crypto map mymap 20 match address 110
crypto map mymap 20 set peer 216.170.0.110 
crypto map mymap 20 set transform-set myset
crypto map mymap 40 match address outside_40_cryptomap
crypto map mymap 40 set peer 67.137.5.50 
crypto map mymap 40 set transform-set myset
crypto map mymap 10000 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
group-policy michigan internal
group-policy michigan attributes
 dns-server value 10.10.10.250 10.10.10.9
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter value vendor_splitTunnelAcl
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vendor_splitTunnelAcl
 default-domain value mydom.local
group-policy Staff internal
group-policy Staff attributes
 vpn-access-hours none
 vpn-simultaneous-logins 20
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter value Staff_splitTunnelAcl
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelall
 split-tunnel-network-list value Staff_splitTunnelAcl
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold infinite
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 4
tunnel-group 207.250.8.8 type ipsec-l2l
tunnel-group 207.250.8.8 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite
tunnel-group 216.170.0.110 type ipsec-l2l
tunnel-group 216.170.0.110 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite
tunnel-group michigan type ipsec-ra
tunnel-group michigan general-attributes
 address-pool michigan
 default-group-policy michigan
tunnel-group michigan ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group Staff type ipsec-ra
tunnel-group Staff general-attributes
 address-pool Staff
 default-group-policy Staff
tunnel-group Staff ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group 67.137.5.50 type ipsec-l2l
tunnel-group 67.137.5.50 ipsec-attributes
 pre-shared-key *

Open in new window

0
Comment
Question by:jcroson
  • 5
  • 5
10 Comments
 
LVL 5

Accepted Solution

by:
wilsj earned 2000 total points
ID: 22979096
You are natting twice you can take out. Your cryptos seem to be ok. give one of these a try.

access-list new permit ip 172.18.1.0 255.255.255.0 10.128.0.0 255.0.0.0
access-list new-nat permit ip 10.10.10.0 255.255.255.0 10.128.0.0 255.0.0.0

global (outside) 2 172.18.1.1-172.18.1.254
nat (inside) 2 access-list new-nat

or

access-list new permit ip 172.18.1.0 255.255.255.0 10.128.0.0 255.0.0.0
access-list new-nat permit ip 10.10.10.0 255.255.255.0 10.128.0.0 255.0.0.0
static(inside,outside) 172.18.1.0  access-list new-nat
0
 

Author Comment

by:jcroson
ID: 23131037
Thanks. I'm very close with your help, but still not there.

This is what I've been testing, but it doesn't seem to work. Here is the log error.

Group = x.x.x.2, IP = x.x.x.2, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Based on my reading, it's because the addresses used in the access-lists don't match my networks.

My problem is that my real network is currently being served via another tunnel. My working network is 10.10.10.0/24, with a gateway of 10.10.10.5/16 (I changed the gw mask to accommodate my test box). I'm trying to use a test host with an address of 10.10.11.161/16.

I can't seem to find a pairing for line two below (my test network) that the ASA will take, and I really need to test this tunnel before I tear the other down, or I'll be sleeping here till I make it work....
access-list MYCLIENT extended permit ip 192.168.14.0 255.255.255.0 10.140.0.0 255.255.0.0
access-list MYCLIENT-NAT extended permit ip 10.10.11.0 255.255.255.0 10.140.0.0 255.255.0.0
static (inside,outside) 192.168.14.0 access-list MYCLIENT-NAT
crypto map mymap 50 match address MYCLIENT
crypto map mymap 50 set transform-set myset
crypto map mymap 50 set peer x.x.x.2
tunnel-group 198.177.94.2 type ipsec-l2l
tunnel-group 198.177.94.2 ipsec-attributes
isakmp keepalive threshold 10 retry 2
pre-shared-key MyCrazyKey
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

Open in new window

0
 

Author Comment

by:jcroson
ID: 23131088
*sigh* So much for trying to obfuscate my addresses.....
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 5

Expert Comment

by:wilsj
ID: 23131096
Please post your nat and global statements here.

All line 2 is saying is to take access-list MYCLIENT-NAT and nat it to 192.168.14.0 when going to 10.140.0.0 255.255.0.0
0
 
LVL 5

Expert Comment

by:wilsj
ID: 23131184
From what I see you what to nat your 10.10.10.0/24 network to 192.168.14.0/24 to go through the tunnel and communicate with 10.140.0.0 255.255.0.0. Is this correct?
0
 

Author Comment

by:jcroson
ID: 23131313
Yes, it is.
0
 

Author Comment

by:jcroson
ID: 23131336
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
0
 
LVL 5

Expert Comment

by:wilsj
ID: 23132158
Ok it looks right are you sure you have the correct Peer IP address?
0
 
LVL 5

Expert Comment

by:wilsj
ID: 23132200
Also make sure all you Phase 2 crypto's match exactly what they have on their end.

0
 

Author Closing Comment

by:jcroson
ID: 31543651
Thanks for your help. After opening a TAC, Cisco found an additional statement for RA users whose network stepped on some of this L2L.

Your method of static(inside,outside) was the eventual one used, not the KB example, that I could never get working.

Thatnks again!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month15 days, 19 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question