Solved

ipsec pass-thru and nat-t for ASA

Posted on 2011-09-20
25
809 Views
Last Modified: 2012-05-12
I originally posted a question regarding the gre-ipsec configuration of a linux red hat server and quickly realized my problem is not with the server config but with the ASA...

Site A has a Router A with public ip 12.127.13.242.  Site B has a nat wall (the ASA) and outside ip 64.15.4.8 and inside ip 192.168.5.8 for the server which is terminating the tunnel.  Those IPs are the global and local IPs of the server respectively.
Both endpoints are running nat traversal.  The ASA doesn't need to run nat-t because it is not terminating the tunnel, it is just a pass-thru box for the gre-ipsec tunnel.  Or so I claim.

Can someone shoot me the config update lines needed for the ASA to allow this?
0
Comment
Question by:mrkent
  • 14
  • 10
25 Comments
 
LVL 15

Assisted Solution

by:The_Warlock
The_Warlock earned 45 total points
Comment Utility
Can you post 2 things here for us in sep. files? 1) The current running config of the ASA(Sanitized) and a brief picture of your net topology as you have it now? You description above needs some clarity and that will help us in achieving that and also help us provide a faster and more accurate resolution for you....Thanks in advance.
0
 

Author Comment

by:mrkent
Comment Utility
Here is the picture of the topology.
I don't have privy to the config yet.  They will give me access tomorrw but I have to hit the ground running so I need to know what to do in advance.

I do know that normal operation is working because both routers can reach each other via ping and ssh.

Will this topology help you?

Also, secondary question, what if we don't have to do IPSEC, and we can just do GRE?  Is there a similar pass-thru function  process for passing GRE thru in both directions or is that just a matter of allowing protocol 47 thru the access lists?
asa-pass-thru--.vsd
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 455 total points
Comment Utility
So the tunnel is set up between the two routers (and through the ASA)?
Are you using the public ip (of the outside interface) of the asa to forward? If so, that could be the issue. GRE and ESP cannot be pushed through NAT/PAT. So you will need an extra public ip (one to one) to do the passthrough.
0
 

Author Comment

by:mrkent
Comment Utility
Yes, tunnel is between two routers and at one end the tunnel passes thru the ASA.

Not using ASAs public IP, I am using another available public IP to forward.  Router 2 has a private IP of 192.168.5... and is mapped to the public IP 64.15....  Natted at the ASA.  

I thought you could pass IPSEC (esp packets) thru NAT because of Nat-traversal (eg. encapsulate the esp into udp 4500)?  Both routers support it, so I don't think that is my issue.  Am I wrong?

Anyway, my concern is allowing the tunnels thru the ASA to the proper destinations.   I can ping and ssh router to router.  Is it only a matter of the proper acls on the ASA outside interface, or is it more?  What does anyone know about "inspect" or "fixup" (like the old PIXs) or "sysopt connection..."  These seem to be global commands and may be mutually exclusive or not supported or whatever.

As soon as I get access to the ASA I will have a short time period to get my config updated, so I need help.  I know that this has been done before

Thanks in advance.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
Ok, assuming the following:

-The ASA is version < 8.3
-you have a static in place to the router, like: static (inside,outside) 64.15.x.x 192.168.5.x 255.255.255.255 (so 1 to 1 and not forwarding specific ports in the static).

Then the outside access list should have:
access-list outside permit esp any host 64.15.x.x
and
access-list outside permit udp any host 64.15.x.x eq 500
To allow IKE and ESP through.
0
 

Author Comment

by:mrkent
Comment Utility
OK, following that thought I also should add:
access-list outside permit udp any host 64.15.x.x eq 4500
to allow for both sides doing nat traversal since a nat had taken place in the path. Am I right?
Should I be forwarding specific ports in the static?

So that's it?  None of the global settings that I mentioned above?
It makes me wonder because they told me (previous admins) that ALL ip traffic is allowed from Router 1, public 64....  and I think that if so I wouldn't need any additional acl permits on the outside interface.
 I don't have much faith in what they told me now.
0
 

Author Comment

by:mrkent
Comment Utility
Here is the relevant portion of the ASA config.  I'm still having trouble getting to phase 2 of the GRE/IPSEC tunnel between the two endpoints (ASA not an endpoint).  So I want to rule out this ASA as being the problem.  I noticed that it does not have the "inspect ipsec-pass-thru" line after the "class inspection default".  Is that needed???

Also there is only one static 1 to 1 nat (no other nat) here and it has a "dns" keyword at the end.  Is that affecting this?
asa-config--.txt
0
 

Author Comment

by:mrkent
Comment Utility
1.  So to clarify... I DONT need this?:
policy-map asa_global_fw_policy
 class inspection_default
  inspect ipsec-pass-thru


2.  I tried to do this with ONLY doing GRE, without IPSEC.  I am getting failure logs from the ASA..."tranlsation group failure for protocol gre: source ip x.x.x.x  destination ip y.y.y.y"
Tells me it has something to do with the nat translation??
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
1.  So to clarify... I DONT need this?
Perhaps not. What OS version of the ASA do you have?

2.  I tried to do this with ONLY doing GRE, without IPSEC
The failure, is that source ip = outside and destination inside or the other way around?
0
 

Author Comment

by:mrkent
Comment Utility

1. version 8.0(5)23

2. Source ip was the ip of the other end of the tunnel.  Depending on which I chose on the other end as its tunnel source  -i tried it with using the physical interface as the tunnel source, then it tried it using a loopback ip as its tunnel source.  In either case, it was that chosen ip that showed up in this ASAs error log.
Destination ip in the error message was the ip of this tunnel endpoint behind the asa.
It wasn't your typical "inside, outside" pair of the static translation, since the two ips involved were the gre tunnel endpoints and not a nat pair.  So it was odd to me, because I thought a translation group error had something to do with a nat translation.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
Ok, could you add:

policy-map asa_global_fw_policy
 class inspection_default
  inspect ipsec-pass-thru

To see if that helps.

As far as I can see the rest should be ok. Do keep a close look at the logs when the tunnel is being initiated and let's see what happens.
0
 

Author Comment

by:mrkent
Comment Utility
Thank you.  I got the IPSEC to work across.  GRE/IPSEC though is not working yet and I think I narrowed it down to a problem with the linux server and not this ASA.

One last thing, as suggested, I looked at logs, better yet I created some captures to look at the traffic at the same time on the 'inside' and 'outside' interfaces.  When doing so I noticed a strange phenomenon  on the inside interface capture.  First let me point out that there is an inside acl now that ONLY allows access from this inside subnet to the IPSEC and GRE protocols and ssh, and to ONLY one specific destination.  The unsual finding that occasionally I would see auto update attemps from the computer to Microsoft and other similar web sites, and then RETURN traffic from these sites.   There is no corresponding traffic on the 'outside' interface, very strange.  Is this possible, given the limiting inside acl or can these captures be misleading?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
Hmm, no WSUS server on the inside by any chance?
0
 

Author Comment

by:mrkent
Comment Utility
Yup, I'm checking that.  There is actually an image server on the inside and I'm wondering if it is also proxying updates somehow.  But not all the IPs hit in the asa captures are only Microsoft sites as far as I can tell, and why would the return traffic in the captures appear to come from those public web sites?  Wouldn't the return come from this inside server?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
Just checked the last config you posted. The inside access list is a 'permit ip any any'.........
Or did you change that in the meantime?
0
 

Author Comment

by:mrkent
Comment Utility
Oh, sorry I forgot.  Yes, it was changed in the meantime to allowing just IPSEC and GRE (if I'm doing GRE/IPSEC then I think allowing IPSEC is all I need, but I added GRE (port 47) in just in case) and also ssh to only one destination.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
Mm. It shouldn't get through.
Not sure what that could be, don't know if there's anything in the config that might be allowing that....
0
 

Author Comment

by:mrkent
Comment Utility
Still investigating if the image server is also acting as a WSUS and masquerading as the far end server responding to the PC (with tcp Resets).  This is an issue, but is secondary to the original and separate problem.

Getting back to the original problem of whether or not the ASA is causing the end to end failure of the GRE/IPSEC tunnel, while IPSEC w/o GRE does work...  Does the "nat-control" command have an affect on this?
0
 

Author Comment

by:mrkent
Comment Utility
OK, here are the results.  I took out the ASA and everything works.  Put is back in and only IPSEC works, but not GRE /w IPSEC.  Replaced the server with another router tnd everything works.  So my conclusion is the server does not support GRE/IPSEC behind a nat wall.  As far as I am concerned the ASA was not the culprit as I originally thought when I opened this question.

The only thing remains is the secondary issue that emerged when I locked down the inside acl for outgoing messages.  And the ASA captures showed tcp set and reset traffic between a station and microsoft servers on the internet.  Since there is an image server on the inside LAN that does have internet access, is it possible that the ASA captures think they see actual traffic between the station and the internet, when in reality it is the image server getting updates and redirecting to the station?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
Could you show how you locked it down?
0
 

Author Comment

by:mrkent
Comment Utility
Here is the relevant config.  Access 100 is upgraded to lock down the LAN going out.  What I see in a capture for exampe is a wrostation 192.168.5.6 that send a tcp Set to a public microsoft server (for automaic updates?? or locator service??? no idea why) and then a return Reset from that microsoft server.  That is seen on the inside.  But on the outside, no corresponding traffic.  Weird.
asa-config---2-.txt
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
Hi, I'm still here :)

Could you show me the capture you mentioned?
0
 

Author Comment

by:mrkent
Comment Utility

I did the capture with singling out just one specific computer behind this asa. For the inside acl I limited this workstations vlan to accessing only ONE outside destination and ONLY spme specific ports.  This particular station 192.168.5.6 gets NAT to public IP 64.15.4.9.
When I did captures on the 'inside' and 'outside' interfaces simultaneouly, looking at ONLY traffic to and from the one workstation, I saw what I thought appeared to be automatic updates querying from the workstation, and being answered by microsoft or akamai or whatever it is sending to.

Oddly enough, I only see back and forth traffic (port 80) on the inside capture but not the outside capture.

Turning off automatic updates on the PC is probably the thing to do but, how was this possible with the ASA??

Here is sample capture between this PC and Microsoft servers.  There is not a corresponding capture on the outside.

Are the captures misleading or is there actual traffic between the PC and Microsoft??

capture-as-requested.txt
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 455 total points
Comment Utility
Hi, been a bit busy lately hence the delay.

This is very odd indeed. It looks like the ASA is impersonating that outside ip. Haven't seen that before, not sure what to think of it.
Though there is no corresponding traffic on the outside so we can safely assume there is no traffic actually coming through.
For the rest, do you happen to have a smartnet on the ASA? I think it might be interesting to drop this at Cisco's to see what they think of this.
0
 

Author Comment

by:mrkent
Comment Utility
That's what I will do.  I'm beginning to think the image server (which is on ASAs inside interface) is the culprit, but I don't know why the "source" of the the return traffic is not image server's IP but rather appears to be the public IP Microsoft (and/or Akamai??) that is the return traffic (even though I see nothing corresponding to it on the outside ASA interface.  Very odd.

Thank you for your support.  You have been a big help.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now