[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Trouble setting up VPN to Non-ASA box

Posted on 2011-09-18
5
Medium Priority
?
372 Views
Last Modified: 2012-06-21
Our situation is as follows:

- On one end, an ASA 5505 running 8.3(1). Several servers in the 10.20.30.0/24 subnet.

- On the other end, a Fortigate 60B. A backup server in the 10.0.10.0/24 subnet.

- The tricky bit is that we want to NAT the addresses of the servers behind the ASA so that to the backup server they appear to be in the 172.16.16.0/24 subnet.

- We're using an L2L IPsec VPN with standard settings. We don't have any trouble opening the tunnel. The problem is that none of the machines on each end can talk to each other. Packets from the backup server are received by the ASA, but they don't seem to go anywhere. Packets from the servers behind the ASA don't seem to reach the Fortigate. I'm pretty sure the problem is in my NAT rules or crypto map or one of those things.

- When the backup server behind the Fortigate tries to ping one of the servers at its NATed address, I see the ping come to the ASA and get NATed to the correct internal address, but then I get "regular translation creation failed for icmp" in the ASA log.

ASA config attached. Can anyone shed light on the issue?

Thanks!

Result of the command: "show run"

: Saved
:
ASA Version 8.3(1) 
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.20.30.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address [external IP] 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.100.100.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name domain.com
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network Inside_LAN 
 subnet 10.20.30.0 255.255.255.0
object network VPN_Tunnel 
 subnet 192.168.222.0 255.255.255.0
object network DMZ 
 subnet 10.100.100.0 255.255.255.0
object network DMZ_10.100.100.0_24 
 subnet 10.100.100.0 255.255.255.0
object network Backup_LAN 
 subnet 10.0.10.0 255.255.255.0
 description Backup internal network 
object network Backup_NAT 
 subnet 172.16.16.0 255.255.255.0
 description Backup NAT subnet for devices 
access-list vpn_splitTunnelAcl standard permit 10.20.30.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip object Backup_NAT object Backup_LAN 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ipsecvpnpool 192.168.222.1-192.168.222.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm631.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside_LAN Backup_NAT destination static Backup_LAN Backup_LAN
nat (inside,outside) source dynamic any interface
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source static Inside_LAN Inside_LAN destination static VPN_Tunnel VPN_Tunnel
!
object network obj_any
 nat (inside,outside) dynamic interface
object network DMZ
 nat (dmz,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 [gateway IP] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer [Fortigate IP] 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.100.100.100-10.100.100.254 dmz
dhcpd dns 208.67.220.220 208.67.222.222 interface dmz
dhcpd auto_config outside interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
group-policy vpn internal
group-policy vpn attributes
 dns-server value 10.20.30.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl
 vpn-group-policy vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
 address-pool ipsecvpnpool
 default-group-policy vpn
tunnel-group vpn ipsec-attributes
 pre-shared-key *****
tunnel-group [Fortigate IP] type ipsec-l2l
tunnel-group [Fortigate IP] ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end

Open in new window

0
Comment
Question by:netfriendsinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36560285
Do your ACLs match up?  What you're doing looks right to me based on similar configurations I've done (using the NAT subnet and the real far-end subnet).  What ACL does the far end device use?
0
 

Author Comment

by:netfriendsinc
ID: 36562953
It's a simpler device, so it doesn't really use ACLs per se. The Fortigate UI actually shows each L2L VPN as a virtual "interface," so we have a static route directing 172.16.16.0/24 traffic to that interface. All outbound traffic from the backup server is permitted. Only inbound ping traffic (for diagnostic purposes) is permitted. That's all the rules we have on that side.
0
 

Author Comment

by:netfriendsinc
ID: 36563041
I should clarify - all outbound traffic from the backup server to the 172.16.16.0/24 subnet is permitted. Only inbound ping traffic from the 172.16.16.0/24 subnet to the backup server is permitted.
0
 

Accepted Solution

by:
netfriendsinc earned 0 total points
ID: 36583911
This problem was resolved by one or both of the following (not sure which, I did both and now it works):

1. In line 80, switched to nat (inside,any)
2. Added line: crypto map outside_map 1 set reverse-route
0
 

Author Closing Comment

by:netfriendsinc
ID: 36708137
Didn't get any help here, so I fixed it myself.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question