Cannot nat across Site to site VPN
I have network A as 10.201.10.0/23 and it is connected to network b 128.1.0.0/16 via site to site VPN on cisco 5505.
This is working as needed, but I need just one host on network A to be natted from 10.201.10.6 to 128.1.1.5 when it reaches network B.
Here is a jpg of the configuration and the configs for both router A and router.
Here are the configs....
network A
ASA Version 8.2(1)
!
hostname CPF
enable password z3Vhv168HZLEetUh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.201.10.2 255.255.254.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0
.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255
.0.0
access-list decanat extended permit ip host 10.201.10.6 host 128.1.1.5
pager lines 24
logging enable
logging console informational
logging asdm debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 128.1.1.5 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 2 access-list decanat
static (inside,outside) 128.1.1.5 10.201.10.6 netmask 255.255.255.255
!
router eigrp 500
neighbor 172.16.1.2 interface outside
network 128.0.0.0 255.0.0.0
network 172.16.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0
redistribute static
!
route inside 10.201.10.0 255.255.254.0 10.201.10.2 1
route outside 128.1.0.0 255.255.0.0 172.16.1.2 1
route outside 172.16.253.0 255.255.255.0 172.16.1.2 1
route outside 192.168.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.201.10.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map oustide_map 20 match address 100
crypto map oustide_map 20 set peer 192.168.2.1
crypto map oustide_map 20 set transform-set myset
crypto map oustide_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.201.10.6-10.201.10.133 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fe6d3960308
: end
Network B
ASA Version 8.2(1)
!
hostname MDV
enable password z3Vhv168HZLEetUh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 128.1.70.100 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254
.0
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.2
54.0
access-list deca_100 standard permit 128.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 128.1.0.0 255.255.0.0 128.1.
0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 1 98.141.40.151
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
!
router eigrp 500
eigrp stub connected static redistributed
neighbor 192.168.2.2 interface outside
network 192.168.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0
!
route outside 10.201.10.0 255.255.254.0 192.168.2.2 1
route outside 172.16.1.0 255.255.255.0 192.168.2.2 1
route inside 172.16.253.0 255.255.255.0 128.1.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 128.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 172.16.1.1
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 128.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 128.1.70.104-128.1.71.103 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
This is working as needed, but I need just one host on network A to be natted from 10.201.10.6 to 128.1.1.5 when it reaches network B.
Here is a jpg of the configuration and the configs for both router A and router.
Here are the configs....
network A
ASA Version 8.2(1)
!
hostname CPF
enable password z3Vhv168HZLEetUh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.201.10.2 255.255.254.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0
.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255
.0.0
access-list decanat extended permit ip host 10.201.10.6 host 128.1.1.5
pager lines 24
logging enable
logging console informational
logging asdm debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 128.1.1.5 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 2 access-list decanat
static (inside,outside) 128.1.1.5 10.201.10.6 netmask 255.255.255.255
!
router eigrp 500
neighbor 172.16.1.2 interface outside
network 128.0.0.0 255.0.0.0
network 172.16.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0
redistribute static
!
route inside 10.201.10.0 255.255.254.0 10.201.10.2 1
route outside 128.1.0.0 255.255.0.0 172.16.1.2 1
route outside 172.16.253.0 255.255.255.0 172.16.1.2 1
route outside 192.168.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.201.10.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map oustide_map 20 match address 100
crypto map oustide_map 20 set peer 192.168.2.1
crypto map oustide_map 20 set transform-set myset
crypto map oustide_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.201.10.6-10.201.10.133 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fe6d3960308
: end
Network B
ASA Version 8.2(1)
!
hostname MDV
enable password z3Vhv168HZLEetUh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 128.1.70.100 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254
.0
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.2
54.0
access-list deca_100 standard permit 128.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 128.1.0.0 255.255.0.0 128.1.
0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 1 98.141.40.151
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
!
router eigrp 500
eigrp stub connected static redistributed
neighbor 192.168.2.2 interface outside
network 192.168.1.0 255.255.255.0
network 192.168.2.0 255.255.255.0
!
route outside 10.201.10.0 255.255.254.0 192.168.2.2 1
route outside 172.16.1.0 255.255.255.0 192.168.2.2 1
route inside 172.16.253.0 255.255.255.0 128.1.250.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 128.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 172.16.1.1
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 128.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 128.1.70.104-128.1.71.103 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Last Comment
So, first, is it as simple as a typo of 10.201.10.x versus 10.206.10.x? Make sure you know how it's supposed to be.
If that's not it, though, does the network at the other end know where the address used in your "global (outside)" statement is located? Your ACL of what gets encrypted specifies the inside address, so chances are their ACL at the other end specifies the reverse of yours -- but doesn't in any way mention the 128.1.1.x subnet.
I haven't played with this kind of NAT situation too much, but my guess is your ACL should probably specify 128.1.1.x as the source subnet, and you probably need to modify your NAT criteria to base it off an ACL that specifies traffic specifically destined for 128.1.0.11.
See if the first suggestion works and lets go from there.
If that's not it, though, does the network at the other end know where the address used in your "global (outside)" statement is located? Your ACL of what gets encrypted specifies the inside address, so chances are their ACL at the other end specifies the reverse of yours -- but doesn't in any way mention the 128.1.1.x subnet.
I haven't played with this kind of NAT situation too much, but my guess is your ACL should probably specify 128.1.1.x as the source subnet, and you probably need to modify your NAT criteria to base it off an ACL that specifies traffic specifically destined for 128.1.0.11.
See if the first suggestion works and lets go from there.
ASKER
it's a typo in the visio...it should be 10.201.10
You need to reconfigure some things to setup policy NAT.
On Network A ASA
access-list nonat line 1 deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
no access-list decanat extended permit ip host 10.201.10.6 host 128.1.1.5
no nat (inside) 2 access-list decanat
no static (inside,outside) 128.1.1.5 10.201.10.6 netmask 255.255.255.255
access-list nat-siteb permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
static (inside,outside) 128.1.1.5 access-list nat-siteb
! The above will cause only the traffic coming from 10.201.10.6 to 128.1.0.0/16 to be NATed. The rest will flow non-nated.
access-list 100 permit ip host 128.1.1.5 128.1.0.0 255.255.0.0
! This causes the NATed traffic to be sent through the Tunnel.
On Network B ASA:
access-list 100 permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5
route outside 128.1.1.5 255.255.255.0 192.168.2.2
! This routes the traffic back through the VPN tunnel for the NATed traffic.
On Network A ASA
access-list nonat line 1 deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
no access-list decanat extended permit ip host 10.201.10.6 host 128.1.1.5
no nat (inside) 2 access-list decanat
no static (inside,outside) 128.1.1.5 10.201.10.6 netmask 255.255.255.255
access-list nat-siteb permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
static (inside,outside) 128.1.1.5 access-list nat-siteb
! The above will cause only the traffic coming from 10.201.10.6 to 128.1.0.0/16 to be NATed. The rest will flow non-nated.
access-list 100 permit ip host 128.1.1.5 128.1.0.0 255.255.0.0
! This causes the NATed traffic to be sent through the Tunnel.
On Network B ASA:
access-list 100 permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5
route outside 128.1.1.5 255.255.255.0 192.168.2.2
! This routes the traffic back through the VPN tunnel for the NATed traffic.
ASKER
I keep getting this
CPF(config)# %ASA-3-305005: No translation group found for icmp src outside:128.
1.70.107 dst inside:10.201.10.6 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)
for any address inside the 10 net now
CPF(config)# %ASA-3-305005: No translation group found for icmp src outside:128.
1.70.107 dst inside:10.201.10.6 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)
for any address inside the 10 net now
ASKER
update....
I put this in...
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
and then this....
static (inside,outside) 128.1.1.5 access-list nat-siteb
static (inside,outside) 10.201.10.0 access-list 100
now the console is showing for site A
CPF(config)# %ASA-6-302020: Built inbound ICMP connection for faddr 128.1.70.107
/768 gaddr 10.201.10.6/0 laddr 10.201.10.6/0
when I ping to 10.201.10.6 from the 128.0.0.0 network.
from site B I ping 128.1.70.107 and this is what shows in B console...
%ASA-6-302020: Built outbound ICMP connection for faddr 10.201.10.6/0 gaddr 128.
1.70.107/768 laddr 128.1.70.107/768
But I get request timed out at each host.
I put this in...
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
and then this....
static (inside,outside) 128.1.1.5 access-list nat-siteb
static (inside,outside) 10.201.10.0 access-list 100
now the console is showing for site A
CPF(config)# %ASA-6-302020: Built inbound ICMP connection for faddr 128.1.70.107
/768 gaddr 10.201.10.6/0 laddr 10.201.10.6/0
when I ping to 10.201.10.6 from the 128.0.0.0 network.
from site B I ping 128.1.70.107 and this is what shows in B console...
%ASA-6-302020: Built outbound ICMP connection for faddr 10.201.10.6/0 gaddr 128.
1.70.107/768 laddr 128.1.70.107/768
But I get request timed out at each host.
Lets try:
no global (outside) 2 128.1.1.5 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
clear xlate
no global (outside) 2 128.1.1.5 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
clear xlate
I dont think we need to use policy nating for the traffic you dont want to nat. That traffic should be in the nonat ACL and the nat (inside) 0 command.
no static (inside,outside) 10.201.10.0 access-list 100
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
nat (inside) 0 access-list nonat
static (inside,outside) 128.1.1.5 access-list nat-siteb
clear xlate
That should cause the traffic to be NATed the way we want. Check the tunnel to see if theres any traffic being sent /received. Use 'show crypto ipsec'
no static (inside,outside) 10.201.10.0 access-list 100
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
nat (inside) 0 access-list nonat
static (inside,outside) 128.1.1.5 access-list nat-siteb
clear xlate
That should cause the traffic to be NATed the way we want. Check the tunnel to see if theres any traffic being sent /received. Use 'show crypto ipsec'
ASKER
removed policy nat and put in the config mod you said and here is the result..
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 172.16.253.0 255.255.255.0
nat (inside) 0 access-list nonat
static (inside,outside) 128.1.1.5 access-list nat-siteb
%ASA-3-305005: No translation group found for icmp src outside:128.1.70.107 dst
inside:10.201.10.6 (type 8, code 0)
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 172.16.253.0 255.255.255.0
nat (inside) 0 access-list nonat
static (inside,outside) 128.1.1.5 access-list nat-siteb
Where are you originating the Ping from? The ASA itself or from a device on the inside interface of Site A's firewall or Site B's firewall? Is the traffic actually going through the VPN?
ASKER
I have a laptop on each side and a router on each side .....so to answer the ? I am originating from laptop 128.1.70.107 to laptop 10.201.10.6...traffic is passing because I can ping from laptop 128.1.70.107 to the router on the other side 10.201.10.1
I'll try to lab it up and test the configs. I'm pretty sure what I've tried to do should work, there maybe a detail I'm missing though.
ASKER
Thanks....
Do you do hard labs? (I mean actual hardware?)
Do you do hard labs? (I mean actual hardware?)
I have a couple extra 5505's that I can use.
ASKER
OK...that's what I have with the router in the middle.
ASKER
anyone else have some ideas?
I am struggling on this.
I am struggling on this.
I got it working. There is an issue with doing it the way you've setup though. The problem is that even if you setup everything perfectly, the traffic will not route back correctly from the 128.1.0.11 device without a static route on that device specifically for the 128.1.1.5 IP. 128.1.1.5 is in the same network as 128.1.0.11 so the traffic never gets routed back to the ASA to go through the VPN tunnel. So in addition to the below configurations I had to add a route on my 128.1.0.11 device like:
ip route 128.1.1.5 255.255.255.255 128.1.70.100
(I was using a router)
Once I did that I was able to ping through from 10.201.10.6, get natted to 128.1.1.5, go through the VPN, then come all the way back.... Using the below configurations.
ip route 128.1.1.5 255.255.255.255 128.1.70.100
(I was using a router)
Once I did that I was able to ping through from 10.201.10.6, get natted to 128.1.1.5, go through the VPN, then come all the way back.... Using the below configurations.
SITE A config:
:
ASA Version 8.2(1)
!
hostname Site-A
domain-name default.domain.invalid
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.201.10.2 255.255.254.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list nonat extended deny ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list 100 extended permit ip 10.201.10.0 255.255.254.0 128.1.0.0 255.255.0.0
access-list 100 extended permit ip host 128.1.1.5 128.1.0.0 255.255.0.0
access-list nat-siteb extended permit ip host 10.201.10.6 128.1.0.0 255.255.0.0
access-list acl-outside extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 128.1.1.5 access-list nat-siteb
access-group acl-outside in interface outside
route outside 128.1.0.0 255.255.0.0 172.16.1.2 1
route outside 192.168.2.0 255.255.255.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 6:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set AES128SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map oustide_map 20 match address 100
crypto map oustide_map 20 set peer 192.168.2.1
crypto map oustide_map 20 set transform-set myset
crypto map oustide_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 67.67.4.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:0d6699320fc7f09b256766c862d3f5f0
SITE B Config:
: Saved
:
ASA Version 8.2(1)
!
hostname Site-B
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 128.1.70.100 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254.0
access-list 100 extended permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 10.201.10.0 255.255.254.0
access-list nonat extended permit ip 128.1.0.0 255.255.0.0 host 128.1.1.5
access-list acl-outside extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 128.1.0.0 255.255.0.0
access-group acl-outside in interface outside
route outside 10.201.10.0 255.255.254.0 192.168.2.2 1
route outside 128.1.1.5 255.255.255.255 192.168.2.2 1
route outside 172.16.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 172.16.1.1
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
ASKER
OK Gavving,
I put in the configs. I put in the static routes on all routers involved (3 of them, one for each site and one for the site to site VPN)
Now I can ping my routers on each side.
I can ping from my Site A router to a host on Site B and vice versa. (E.G. from 10.201.10.1 to 128.1.70.107)
I can ping from my router on Site B to the router on Site A and to 128.1.1.5
Sending 5, 100-byte ICMP Echos to 128.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent
I can ping from 10.201.10.6 to the router in Site B (10.201.10.6 to 128.1.250.0)
I cannot ping from 10.201.10.6 to a host in Site B (10.201.10.6 to 128.1.70.107) see below from the logs...Both ASA's thinks it happens, but the request times out on the host...
Log entry from Site B ASA:
MDV(config)# %ASA-6-302020: Built inbound ICMP connection for faddr 128.1.1.5/51
2 gaddr 128.1.70.107/0 laddr 128.1.70.107/0
%ASA-6-302021: Teardown ICMP connection for faddr 128.1.1.5/512 gaddr 128.1.70.1
07/0 laddr 128.1.70.107/0
Log entry from Site A ASA:
CPF(config)# %ASA-6-302020: Built outbound ICMP connection for faddr 128.1.70.10
7/0 gaddr 128.1.1.5/512 laddr 10.201.10.6/512
%ASA-6-302021: Teardown ICMP connection for faddr 128.1.70.107/0 gaddr 128.1.1.5
/512 laddr 10.201.10.6/512
Then pinging 10.201.10.6 OR 128.1.1.5 from host in site B 128.1.70.107 the ping also times out....
Here is the log entry from Site B asa
MDV(config)# %ASA-6-302020: Built outbound ICMP connection for faddr 10.201.10.6
/0 gaddr 128.1.70.107/768 laddr 128.1.70.107/768
%ASA-6-302021: Teardown ICMP connection for faddr 10.201.10.6/0 gaddr 128.1.70.1
07/768 laddr 128.1.70.107/768
Log entry from Site A ASA for same ping...
CPF(config)# %ASA-3-305005: No translation group found for icmp src outside:128.
1.70.107 dst inside:10.201.10.6 (type 8, code 0)
Do you need to see anymore to see if this works?
I put in the configs. I put in the static routes on all routers involved (3 of them, one for each site and one for the site to site VPN)
Now I can ping my routers on each side.
I can ping from my Site A router to a host on Site B and vice versa. (E.G. from 10.201.10.1 to 128.1.70.107)
I can ping from my router on Site B to the router on Site A and to 128.1.1.5
Sending 5, 100-byte ICMP Echos to 128.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent
I can ping from 10.201.10.6 to the router in Site B (10.201.10.6 to 128.1.250.0)
I cannot ping from 10.201.10.6 to a host in Site B (10.201.10.6 to 128.1.70.107) see below from the logs...Both ASA's thinks it happens, but the request times out on the host...
Log entry from Site B ASA:
MDV(config)# %ASA-6-302020: Built inbound ICMP connection for faddr 128.1.1.5/51
2 gaddr 128.1.70.107/0 laddr 128.1.70.107/0
%ASA-6-302021: Teardown ICMP connection for faddr 128.1.1.5/512 gaddr 128.1.70.1
07/0 laddr 128.1.70.107/0
Log entry from Site A ASA:
CPF(config)# %ASA-6-302020: Built outbound ICMP connection for faddr 128.1.70.10
7/0 gaddr 128.1.1.5/512 laddr 10.201.10.6/512
%ASA-6-302021: Teardown ICMP connection for faddr 128.1.70.107/0 gaddr 128.1.1.5
/512 laddr 10.201.10.6/512
Then pinging 10.201.10.6 OR 128.1.1.5 from host in site B 128.1.70.107 the ping also times out....
Here is the log entry from Site B asa
MDV(config)# %ASA-6-302020: Built outbound ICMP connection for faddr 10.201.10.6
/0 gaddr 128.1.70.107/768 laddr 128.1.70.107/768
%ASA-6-302021: Teardown ICMP connection for faddr 10.201.10.6/0 gaddr 128.1.70.1
07/768 laddr 128.1.70.107/768
Log entry from Site A ASA for same ping...
CPF(config)# %ASA-3-305005: No translation group found for icmp src outside:128.
1.70.107 dst inside:10.201.10.6 (type 8, code 0)
Do you need to see anymore to see if this works?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I wish I could give more points!!!
The static route on the host did the trick!
The static route on the host did the trick!
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER