• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 648
  • Last Modified:

Multi-Site L2L, RA set up needs new NAT'd L2L (Overlapping Networks)

Cisco ASA 5510 needs a 4th L2L config, but the exiting traffic from my LAN needs to be NAT'd, since the network on the other end is similar, and overlaps. I've read a couple of articles at Cisco that relate to this, but am a bit confused.

My configuration is in the code snippet below (addresses are real, but not mine ;P).

I think I need to add something similar to this, assuming the other site's WAN address is 1.2.3.4, my internal net is 10.10.10.0/24 and their internal net is 10.128.0.0 255.0.0.0:

access-list new extended permit ip 172.18.1.0 255.255.255.0 10.128.0.0 255.0.0.0
access-list new-nat extended permit ip 10.10.10.0 255.255.255.0 10.128.0.0 255.0.0.0
static (inside,outside) 172.18.1.0  access-list new-nat
global (outside) 2 172.19.1.1
nat (inside) 2 access-list new
crypto map mymap 50 match address new
crypto map mymap 50 set peer 1.2.3.4
crypto map mymap 50 set transform-set myset
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key *
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
interface Ethernet0/0
 description Internet Interface
 nameif outside
 security-level 0
 ip address 69.129.2.146 255.255.255.252 
 ospf cost 10
!
interface Ethernet0/1
 description IBS Lan Interface
 nameif inside
 security-level 100
 ip address 10.10.10.5 255.255.255.0 
 ospf cost 10
!
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 199.2.67.0 255.255.255.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.128.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.129.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.130.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.131.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.132.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.133.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.134.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.135.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.136.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.137.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.138.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.139.0.0 255.255.0.0 
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 10.140.0.0 255.255.0.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 199.2.67.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 172.23.16.0 255.255.255.0 
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 10.2.1.0 255.255.255.0 
access-list 110 extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list capin extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list capin extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list Staff_splitTunnelAcl extended permit ip 172.23.16.0 255.255.255.0 any 
access-list Staff_splitTunnelAcl extended permit ip 10.10.10.0 255.255.255.0 172.23.16.0 255.255.255.0 
access-list vendor_splitTunnelAcl extended permit ip 10.10.11.0 255.255.255.0 any 
access-list vendor_splitTunnelAcl extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0 
access-list outside_40_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.2.0.0 255.255.0.0 
ip local pool michigan 10.10.11.60-10.10.11.110 mask 255.255.255.0
ip local pool Staff 172.23.16.1-172.23.16.19 mask 255.255.255.0
ip verify reverse-path interface outside
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 69.129.2.145 1
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map dynmap 1 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 207.250.8.8 
crypto map mymap 10 set transform-set myset
crypto map mymap 20 match address 110
crypto map mymap 20 set peer 216.170.0.110 
crypto map mymap 20 set transform-set myset
crypto map mymap 40 match address outside_40_cryptomap
crypto map mymap 40 set peer 67.137.5.50 
crypto map mymap 40 set transform-set myset
crypto map mymap 10000 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
group-policy michigan internal
group-policy michigan attributes
 dns-server value 10.10.10.250 10.10.10.9
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter value vendor_splitTunnelAcl
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vendor_splitTunnelAcl
 default-domain value mydom.local
group-policy Staff internal
group-policy Staff attributes
 vpn-access-hours none
 vpn-simultaneous-logins 20
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter value Staff_splitTunnelAcl
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelall
 split-tunnel-network-list value Staff_splitTunnelAcl
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold infinite
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 4
tunnel-group 207.250.8.8 type ipsec-l2l
tunnel-group 207.250.8.8 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite
tunnel-group 216.170.0.110 type ipsec-l2l
tunnel-group 216.170.0.110 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold infinite
tunnel-group michigan type ipsec-ra
tunnel-group michigan general-attributes
 address-pool michigan
 default-group-policy michigan
tunnel-group michigan ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group Staff type ipsec-ra
tunnel-group Staff general-attributes
 address-pool Staff
 default-group-policy Staff
tunnel-group Staff ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group 67.137.5.50 type ipsec-l2l
tunnel-group 67.137.5.50 ipsec-attributes
 pre-shared-key *

Open in new window

0
jcroson
Asked:
jcroson
  • 5
  • 5
1 Solution
 
wilsjCommented:
You are natting twice you can take out. Your cryptos seem to be ok. give one of these a try.

access-list new permit ip 172.18.1.0 255.255.255.0 10.128.0.0 255.0.0.0
access-list new-nat permit ip 10.10.10.0 255.255.255.0 10.128.0.0 255.0.0.0

global (outside) 2 172.18.1.1-172.18.1.254
nat (inside) 2 access-list new-nat

or

access-list new permit ip 172.18.1.0 255.255.255.0 10.128.0.0 255.0.0.0
access-list new-nat permit ip 10.10.10.0 255.255.255.0 10.128.0.0 255.0.0.0
static(inside,outside) 172.18.1.0  access-list new-nat
0
 
jcrosonAuthor Commented:
Thanks. I'm very close with your help, but still not there.

This is what I've been testing, but it doesn't seem to work. Here is the log error.

Group = x.x.x.2, IP = x.x.x.2, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Based on my reading, it's because the addresses used in the access-lists don't match my networks.

My problem is that my real network is currently being served via another tunnel. My working network is 10.10.10.0/24, with a gateway of 10.10.10.5/16 (I changed the gw mask to accommodate my test box). I'm trying to use a test host with an address of 10.10.11.161/16.

I can't seem to find a pairing for line two below (my test network) that the ASA will take, and I really need to test this tunnel before I tear the other down, or I'll be sleeping here till I make it work....
access-list MYCLIENT extended permit ip 192.168.14.0 255.255.255.0 10.140.0.0 255.255.0.0
access-list MYCLIENT-NAT extended permit ip 10.10.11.0 255.255.255.0 10.140.0.0 255.255.0.0
static (inside,outside) 192.168.14.0 access-list MYCLIENT-NAT
crypto map mymap 50 match address MYCLIENT
crypto map mymap 50 set transform-set myset
crypto map mymap 50 set peer x.x.x.2
tunnel-group 198.177.94.2 type ipsec-l2l
tunnel-group 198.177.94.2 ipsec-attributes
isakmp keepalive threshold 10 retry 2
pre-shared-key MyCrazyKey
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

Open in new window

0
 
jcrosonAuthor Commented:
*sigh* So much for trying to obfuscate my addresses.....
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
wilsjCommented:
Please post your nat and global statements here.

All line 2 is saying is to take access-list MYCLIENT-NAT and nat it to 192.168.14.0 when going to 10.140.0.0 255.255.0.0
0
 
wilsjCommented:
From what I see you what to nat your 10.10.10.0/24 network to 192.168.14.0/24 to go through the tunnel and communicate with 10.140.0.0 255.255.0.0. Is this correct?
0
 
jcrosonAuthor Commented:
Yes, it is.
0
 
jcrosonAuthor Commented:
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
0
 
wilsjCommented:
Ok it looks right are you sure you have the correct Peer IP address?
0
 
wilsjCommented:
Also make sure all you Phase 2 crypto's match exactly what they have on their end.

0
 
jcrosonAuthor Commented:
Thanks for your help. After opening a TAC, Cisco found an additional statement for RA users whose network stepped on some of this L2L.

Your method of static(inside,outside) was the eventual one used, not the KB example, that I could never get working.

Thatnks again!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now