Solved

Trouble setting up VPN to Non-ASA box

Posted on 2011-09-18
5
361 Views
Last Modified: 2012-06-21
Our situation is as follows:

- On one end, an ASA 5505 running 8.3(1). Several servers in the 10.20.30.0/24 subnet.

- On the other end, a Fortigate 60B. A backup server in the 10.0.10.0/24 subnet.

- The tricky bit is that we want to NAT the addresses of the servers behind the ASA so that to the backup server they appear to be in the 172.16.16.0/24 subnet.

- We're using an L2L IPsec VPN with standard settings. We don't have any trouble opening the tunnel. The problem is that none of the machines on each end can talk to each other. Packets from the backup server are received by the ASA, but they don't seem to go anywhere. Packets from the servers behind the ASA don't seem to reach the Fortigate. I'm pretty sure the problem is in my NAT rules or crypto map or one of those things.

- When the backup server behind the Fortigate tries to ping one of the servers at its NATed address, I see the ping come to the ASA and get NATed to the correct internal address, but then I get "regular translation creation failed for icmp" in the ASA log.

ASA config attached. Can anyone shed light on the issue?

Thanks!

Result of the command: "show run"

: Saved
:
ASA Version 8.3(1) 
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.20.30.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address [external IP] 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.100.100.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name domain.com
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network Inside_LAN 
 subnet 10.20.30.0 255.255.255.0
object network VPN_Tunnel 
 subnet 192.168.222.0 255.255.255.0
object network DMZ 
 subnet 10.100.100.0 255.255.255.0
object network DMZ_10.100.100.0_24 
 subnet 10.100.100.0 255.255.255.0
object network Backup_LAN 
 subnet 10.0.10.0 255.255.255.0
 description Backup internal network 
object network Backup_NAT 
 subnet 172.16.16.0 255.255.255.0
 description Backup NAT subnet for devices 
access-list vpn_splitTunnelAcl standard permit 10.20.30.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip object Backup_NAT object Backup_LAN 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ipsecvpnpool 192.168.222.1-192.168.222.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm631.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static Inside_LAN Backup_NAT destination static Backup_LAN Backup_LAN
nat (inside,outside) source dynamic any interface
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source static Inside_LAN Inside_LAN destination static VPN_Tunnel VPN_Tunnel
!
object network obj_any
 nat (inside,outside) dynamic interface
object network DMZ
 nat (dmz,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 [gateway IP] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer [Fortigate IP] 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.100.100.100-10.100.100.254 dmz
dhcpd dns 208.67.220.220 208.67.222.222 interface dmz
dhcpd auto_config outside interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
group-policy vpn internal
group-policy vpn attributes
 dns-server value 10.20.30.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl
 vpn-group-policy vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
 address-pool ipsecvpnpool
 default-group-policy vpn
tunnel-group vpn ipsec-attributes
 pre-shared-key *****
tunnel-group [Fortigate IP] type ipsec-l2l
tunnel-group [Fortigate IP] ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end

Open in new window

0
Comment
Question by:netfriendsinc
  • 4
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
Do your ACLs match up?  What you're doing looks right to me based on similar configurations I've done (using the NAT subnet and the real far-end subnet).  What ACL does the far end device use?
0
 

Author Comment

by:netfriendsinc
Comment Utility
It's a simpler device, so it doesn't really use ACLs per se. The Fortigate UI actually shows each L2L VPN as a virtual "interface," so we have a static route directing 172.16.16.0/24 traffic to that interface. All outbound traffic from the backup server is permitted. Only inbound ping traffic (for diagnostic purposes) is permitted. That's all the rules we have on that side.
0
 

Author Comment

by:netfriendsinc
Comment Utility
I should clarify - all outbound traffic from the backup server to the 172.16.16.0/24 subnet is permitted. Only inbound ping traffic from the 172.16.16.0/24 subnet to the backup server is permitted.
0
 

Accepted Solution

by:
netfriendsinc earned 0 total points
Comment Utility
This problem was resolved by one or both of the following (not sure which, I did both and now it works):

1. In line 80, switched to nat (inside,any)
2. Added line: crypto map outside_map 1 set reverse-route
0
 

Author Closing Comment

by:netfriendsinc
Comment Utility
Didn't get any help here, so I fixed it myself.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now