Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

cisco asa-asa tunnel from dmz port on one side - same subnets on both sides

Posted on 2012-09-14
11
Medium Priority
?
787 Views
Last Modified: 2012-09-17
This is a variation on the "same subnet on the inside on both sides of a tunnel".

I am not getting any crypto isa (deb crypto isa 40) when pinging from host in SiteA dmz to inside host on Site B.

(public ip's changed)

Site A
inside: 192.168.1.1/24
dmz: 192.168.7.1/24
outside: 222.111.0.40

Site B
inside: 192.168.1.1/24
outside: 155.233.0.50


Hosts in Site B need to access a host in dmz at Site A (192.168.7.10).
However, the Site A has a connected route for 192.168.1.0/24.

I'm using the typical solution to NAT the dmz subnet on Site A and the inside on Site B.

Site A
access-list acl_nat_siteb permit ip 192.168.7.0 255.255.255.0 10.155.233.0 255.255.255.0

access-list acl_crypto_siteb permit ip 10.222.111.0 255.255.255.0 10.155.233.0 255.255.255.0

static (dmz,outside) 10.222.111.0 access-list acl_nat_siteb

crypto map map_siteb match address acl_crypto_siteb


Site B
access-list acl_nat_sitea permit ip 192.168.1.0 255.255.255.0 10.222.111.0 255.255.255.0

access-list acl_crypto_sitea permit ip 10.155.233.0 255.255.255.0 10.222.111.0 255.255.255.0

static (dmz,outside) 10.155.233.0 access-list acl_nat_siteb

crypto map map_siteb match address acl_crypto_sitea
0
Comment
Question by:snowdog_2112
  • 6
  • 5
11 Comments
 
LVL 2

Expert Comment

by:Sepist
ID: 38399933
You're not accidentally doing NAT exemption are you? If you can post the sanitized config of each I can go through it real quick and verify NAT/Policy NAT is correct.
0
 

Author Comment

by:snowdog_2112
ID: 38400706
there is a nat exemption on that DMZ port, but not for the tunnel.  I need that to exempt traffic from the dmz into the inside, and to one other dmz port defined on the asa (192.168.5.1/24).

nat (dmz) 0 access-list acl_dmz_nonat

acl_dmz_nonat permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0
acl_dmz_nonat permit ip 192.168.7.0 255.255.255.0 192.166.1.0 255.255.255.0

Would I need to also static map in place of the nat exemption?

static (dmz,inside) 192.168.7.0 access-list acl_dmz_inside
static (dmz,dmz2) 192.168.7.0 access-list acl_dmz_dmz2

acl_dmz_inside permit ip 192.168.7.0 255.255.255.0 192.168.5.0 255.255.255.0
acl_dmz_dmz2 permit ip 192.168.7.0 255.255.255.0 192.166.1.0 255.255.255.0
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38400707
No since they're not part of the encryption traffic it wouldn't be necessary
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:snowdog_2112
ID: 38400790
I made that change anyways.  there is no "nat (dmz,outside) 0" of any kind.  There are other nat 0's for other dmz ports but they are also acl-based.

The remote side too, with no dmz, does not show any crypto traffic.  I removed the nat 0 on that side as well.

This is Site B - the slightly less complex config.  This does not generate any crypto isa debugs when I "ping inside 10.222.77.10".

(I am external to both devices and only have ssh access to a device in the dmz at Site A - so I can try to ping from 192.168.7.10 to an internal IP at Site B - that doesn't generate crypto debug either).

ASA Version 8.2(5)
!
hostname mmasa5505
domain-name mmp.com
enable password cLY95rSlw5/gj3iX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 24.111.222.98 255.255.255.248
!
clock timezone GMT 0
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 name-server 4.2.2.2
 domain-name mmp.com
access-list acl_crypto_ibs extended permit ip 10.24.111.0 255.255.255.0 10.222.77.0 255.255.255.0
access-list in.outside extended permit icmp any any echo-reply
access-list acl_nat_inside_ibs extended permit ip 192.168.1.0 255.255.255.0 10.222.77.0 255.255.255.0
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.28 www netmask 255.255.255.255
static (inside,outside) 10.24.111.0  access-list acl_nat_inside_ibs
access-group in.outside in interface outside
route outside 0.0.0.0 0.0.0.0 24.111.222.97 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address acl_crypto_ibs
crypto map outside_map 1 set peer 222.77.227.130
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
management-access inside
dhcpd dns 192.168.1.1 4.2.2.2
dhcpd auto_config outside
!
dhcpd address 192.168.1.201-192.168.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 222.77.227.130 type ipsec-l2l
tunnel-group 222.77.227.130 ipsec-attributes
 pre-shared-key *****
!
!
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38400806
You don't have any ACL's configured, are you allowing VPN traffic via the "sysopt connection permit-vpn" command?
0
 
LVL 2

Accepted Solution

by:
Sepist earned 2000 total points
ID: 38400818
Re-reading your OP it sounds like phase 2 isn't evne building (so if you do "show crypto ipsec sa" you don't see anything). From site A you may want to run this through packet tracer and see if it drops or accepts:

"packet-tracer input inside tcp 192.168.7.25 555 10.155.233.5 80 detailed"

You can paste the results here and I can look at it if it doesn't make sense.
0
 

Author Comment

by:snowdog_2112
ID: 38402210
I'm not getting phase 1 or phase 2.

The packet trace on Site B is dropped at the VPN step - after it NAT's to the "made-up" address.  It seems like the acl_crypto_ibs is not coming up with a match.  

So it NAT's 192.168.1.10 to 10.24.111.0/24 in the previous steps.  Let me know if you need the entire packet trace - I'm editing the IP's so the less I have to edit, the less likely I am to make a mistake here.

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xca1e5180, priority=70, domain=encrypt, deny=false
        hits=1, user_data=0x0, cs_id=0xc9d70848, reverse, flags=0x0, protocol=0
        src ip=10.24.111.0, mask=255.255.255.0, port=0
        dst ip=10.222.77.0, mask=255.255.255.0, port=0, dscp=0x0
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38405620
I noticed earlier you are testing by doing "ping inside 10.222.77.10". You should be testing from a workstation on the inside and not from the ASA itself as typically you cannot ping across a VPN when sourcing from the ASA (there are ways around this but let's just stick to basics for testing)
0
 

Author Comment

by:snowdog_2112
ID: 38407586
What is the "way around" pinging from the ASA into a tunnel?  That would be helpful.

I must have had a typo somewhere, or an overlapping nat on the Site A side.  I moved the connection to one of the other named dmz ports in a different local subnet (192.168.4.0/24), and re-configured using the same principles, including the "nat (dmz4,outside) 10.222.77.0 access-list acl_nat_remote"...

The tunnel came up and the packet-tracer on Site B no longer drops the packet - I'm guessing that means it was dropping it before because the tunnel was not up, and the "ping inside" from Site B was not enough to bring up the tunnel.

I still can't ping across, but the tunnel is up, which is my OP.

Thanks!
0
 

Author Closing Comment

by:snowdog_2112
ID: 38407588
Not the solution directly, but led me to rebuild the config on Site A and move the NAT to a different named dmz port.
0
 
LVL 2

Expert Comment

by:Sepist
ID: 38407669
The management-access interface command allows you to ping the ASA's inside interface
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question