Solved

Cisco ASA site to site VPN NAT problem

Posted on 2011-02-28
5
774 Views
Last Modified: 2012-05-11
I'm having a problem getting a site to site VPN working properly. Actually, I can get the VPN to work fine, I just can't access the Internet after I get it working. I've tried several things so far, so hopefully the config isn't too goofy. It's been a long day :-)

Here's what I'm trying to do.

We are on a 192.168.1.0/24 subnet (of course). Our vendor is on a 192.168.11.0/24 subnet. In order for this to work, they requested we nat our subnet to 192.168.51.0/24.

Right now, I can ping an endpoint on the other side of the tunnel just fine...but I can't get out to the Internet. This obviously has something to do with the NAT'ing.

I have a 1 to 1 NAT configured for testing (my laptop 192.168.1.200). Note the line:
static (inside,outside) 192.168.51.200 192.168.1.200 netmask 255.255.255.255

I need any host on my internal network to get NAT'd  to the 192.168.51.0/24 network for the VPN. Hopefully I don't need to create 50 statements like the one above.

Also note the line:
global (outside) 1 x.x.x.18

Usually I would put global (outside) 1 interface on this line. This was changed a few times during troubleshooting but I wanted to post my current config so I left this as is.


I know this is easy for someone, and I'm also sure I've spent way to much time on this...so I'm probably doing something that doesn't make sense. Any help is appreciated.


ASA Version 8.2(1) 
!
hostname ASA
enable password ew5hA7chK3mG.KBz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0 
!
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.17 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 11
!
interface Ethernet0/1
 switchport access vlan 10
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
ftp mode passive
clock timezone cdt -6
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any echo-reply 
access-list outside_in extended permit icmp any any time-exceeded 
access-list outside_in extended permit icmp any any unreachable 
access-list VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.51.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list nat2outside extended permit ip 192.168.1.0 255.255.255.0 any 
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 10.10.10.1-10.10.10.11 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.18
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list nat2outside
static (inside,outside) 192.168.51.200 192.168.1.200 netmask 255.255.255.255 
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.134 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value 192.168.1.201
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value domain.local

tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool VPNPool
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.134 type ipsec-l2l
tunnel-group x.x.x.134 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Open in new window

0
Comment
Question by:FIFBA
5 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 35007224
Static NAT won't work for this, because it will NAT all traffic going in that direction regardless of the destination.

You need policy NAT, where you use an access-list list.

If you need for the vendor to be able to initiate traffic, I think there's a way to accomplish it, but I'll have to do some digging.
0
 
LVL 4

Assisted Solution

by:ullas_unni
ullas_unni earned 100 total points
ID: 35008063
the reason u lost internet connectivity is because u have static (inside,outside) 192.168.51.200 192.168.1.200 netmask 255.255.255.255  which takes precedence over your nat (inside) global (outside).

you can try this:

access-list vpn_nat permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

static(inside,outside) 192.168.51.0 access-list vpn_nat  

this might help you.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 400 total points
ID: 35008437
As far as I can see this question is not neglected. Both answers above are relevant and should be rewarded, imho.

Best regards
Kvistofta
0
 

Author Comment

by:FIFBA
ID: 35008675
Thanks for the help so far. Not sure where the 'neglected' comment came from. I never classified this as such. Anyway, if I understand correctly I need to get rid of the static NAT and modify my nat/global statements to look something like this...

access-list vpn_nat permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
static(inside,outside) 192.168.51.0 access-list vpn_nat
nat (inside) 1 0 0
global (outside) 1 interface

Is this correct?

 
0
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 400 total points
ID: 35008695
Yes, it looks valid and correct.

/Kvistofta
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Order of preference for routing protocol 1 35
reserve ip based on mac addresses 6 73
cisco nexus experiance 2 30
Access List 4 14
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now