S2S VPN Issue

Hello Experts,

We have Site to Site VPN configured with one of the company. It is configured between two Cisco ASA's

Lets say Site A  ( we) and Site B ( external company)

Local Subnet : 10.1.2.0/24
Destination : 10.192.128.0/24

Due to overlapping of subnet they have asked us to NAT our subnet to 10.192.129.0 /24

The VPN is up. Hosts from Site and Site B can ping each other.

Our problem the host at Site B trying to remote desktop to Host at Site B and its not working

I collected the logs and packet tracer on our ASA

5 Oct 01 2013 13:06:39 305013 10.192.128.160      3389      10.1.2.81      3389      Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:10.192.128.160/3389 dst inside:10.1.2.81/3389 denied due to NAT reverse path failure

6      Oct 01 2013      13:04:33      302014      10.192.128.160      52245      10.1.2.81      3389      Teardown TCP connection 8310312 for Outside:10.192.128.160/52245 to inside:10.1.2.81/3389 duration 0:00:00 bytes 0 TCP Reset-O

6      Oct 01 2013      13:04:33      302013      10.192.128.160      52245      10.1.2.81      3389      Built inbound TCP connection 8310312 for Outside:10.192.128.160/52245 (10.192.128.160/52245) to inside:10.1.2.81/3389 (10.192.129.18/3389)

Packet tracer result


DSFH-ASA-5520# packet-tracer input Outside tcp 10.192.128.160 3389 10.1.2.81 3$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.2.0        255.255.255.0   inside

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit ip 10.192.128.0 255.255.255.0 any
access-list Outside_access_in remark VPN-PC (Radiology WS)
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,Outside) 10.192.129.18  access-list inside_nat_static_1
  match ip inside host 10.1.2.81 Outside 10.192.128.0 255.255.255.0
    static translation to 10.192.129.18
    translate_hits = 558, untranslate_hits = 1146
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


Please I am in need of help.

Thanks

I appreciate the help
LVL 3
cciedreamerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max_the_kingCommented:
Hi,
I believe you have implemented a policy nat, which indeed allows you to bring up a tunnel from site A to site B with overlapping addresses.
This way you must have configured an access-list that rules some IPs (or rather whole subnet) to get into the tunnel and be encrypted by IPSec tunnel. You should now try and exclude the IPs you do not want to go across tunnel in Site B access-list, preventing packets to go through tunnel, and route them into their own subnet LAN instead. NAT should be excluded from that access-list.

hope this helps
max
0
cciedreamerAuthor Commented:
I didn't get it

Here is my config

access-list inside_access_in line 3 extended permit ip object-group AMC-VPN-SRV 10.192.128.0 255.255.255.

 access-list inside_nat0_outbound_2 line 2 extended permit ip 10.192.129.0 255.255.255.0 10.192.128.0 255.255.255.0
 

nat (inside) 0 access-list inside_nat0_outbound_2

access-list AMC-VPN-Traffic extended permit ip 10.192.129.0 255.255.255.0 10.192.128.0 255.255.255.0
 

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

 

 tunnel-group 109.171.129.13 type ipsec-l2l

 tunnel-group 109.171.129.13 ipsec-attributes

        pre-shared-key **********

        isakmp keepalive threshold 10 retry 2

    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

    crypto map Outside_map 1 match address AMC-VPN-Traffic

    crypto map Outside_map 1 set  peer  109.171.X.X

    crypto map Outside_map 1 set  transform-set  ESP-AES-128-SHA

    crypto map Outside_map 1 set security-association lifetime seconds 28800

    crypto map Outside_map 1 set security-association lifetime kilobytes 4608000

 

 

object-group network AMC-VPN-SRV



        description Servers at TEST NAT passing through VPN Tunnel



        network-object host 10.1.2.81
 
        network-object host 10.1.2.14

 access-list inside_nat_static_1 line 1 extended permit ip host 10.1.2.202 10.192.128.0 255.255.255.0

static (inside,Outside)  10.192.129.19 access-list inside_nat_static_1 tcp 0 0 udp 0
0
max_the_kingCommented:
Hi,

since you have an access-list on inside interface, try and add:

access-list inside_access_in line 1 extended permit ip host 10.1.2.202 10.192.128.0 255.255.255.0

max
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

cciedreamerAuthor Commented:
Hi,

I have alread added that ACL but no luck.
0
cciedreamerAuthor Commented:
Pleassssseeeeeeeeeeeeee HELP !!!
0
max_the_kingCommented:
Hi,
it is not clear to me what you reported:
you say that at SiteB (10.192.129.0) when you rdp a machine on the same subnet (10.192.129.0) you get error. Well this is an issue on siteB but you seem to have reported config for SiteA.

Either way, try this:

no nat (inside) 0 access-list inside_nat0_outbound_2

since you want to nat that subnet into the tunnel

max
0
cciedreamerAuthor Commented:
The machine at Side B ( 10.192.128.0/24) trying to RDP Host at Site 10.192.129.18 ( NATed IP) and 10.1.2.81 ( Real IP) only icmp is working between these hosts. Local RDP is working fine.

Here is the log I collected on ASA at Site A when trying to rdp from Site B

6      Oct 02 2013      11:24:28      302013      10.192.128.160      55446      10.1.2.81      3389      Built inbound TCP connection 9518111 for Outside:10.192.128.160/55446 (10.192.128.160/55446) to inside:10.1.2.81/3389 (10.192.129.18/3389)



6      Oct 02 2013      11:24:28      302014      10.192.128.160      55446      10.1.2.81      3389      Teardown TCP connection 9518111 for Outside:10.192.128.160/55446 to inside:10.1.2.81/3389 duration 0:00:00 bytes 0 TCP Reset-O


6      Oct 02 2013      11:24:31      302013      10.192.128.160      55446      10.1.2.81      3389      Built inbound TCP connection 9518162 for Outside:10.192.128.160/55446 (10.192.128.160/55446) to inside:10.1.2.81/3389 (10.192.129.18/3389)




6      Oct 02 2013      11:24:31      302014      10.192.128.160      55446      10.1.2.81      3389      Teardown TCP connection 9518162 for Outside:10.192.128.160/55446 to inside:10.1.2.81/3389 duration 0:00:00 bytes 0 TCP Reset-O

6      Oct 02 2013      11:24:37      302013      10.192.128.160      55446      10.1.2.81      3389      Built inbound TCP connection 9518321 for Outside:10.192.128.160/55446 (10.192.128.160/55446) to inside:10.1.2.81/3389 (10.192.129.18/3389)

6      Oct 02 2013      11:24:37      302014      10.192.128.160      55446      10.1.2.81      3389      Teardown TCP connection 9518321 for Outside:10.192.128.160/55446 to inside:10.1.2.81/3389 duration 0:00:00 bytes 0 TCP Reset-O
0
max_the_kingCommented:
Hi,
well, icmp is working between those hosts ? this means that the ipsec tunnel is ok !

rdp not working ? this may well be an access-list problem.
This might happen because you natted an entire subnet on a single IP, thus making policy nat fail:
e.g. remove this: static (inside,Outside)  10.192.129.19 access-list inside_nat_static_1 tcp 0 0 udp 0

then try and use nat and global statements instead:
e.g.:
no static (inside,Outside)  10.192.129.19 access-list inside_nat_static_1 tcp 0 0 udp 0
nat (inside) 2 access-list inside_nat_static_1
global (outside) 2 10.192.129.1-10.192.129.254

then do a "clear xlate" command and try again

max
0
cciedreamerAuthor Commented:
I have tried removing the Policy NAT and configure static NAT

static ( inside,Outside) 10.192.129.129 10.1.2.81


But still the same issue.
0
max_the_kingCommented:
you may want to try my previous advice. Try and use nat/global statements as described before.
since you're able to ping machines, you're almost done.

max
0
cciedreamerAuthor Commented:
The problem is resolved. There was a misconfiguration in Routing at Site B. They were forwarding the vpn traffic to a device which reseting the tcp packets and sending to our firewall.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cciedreamerAuthor Commented:
The problem resolved by remote admin in there network.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.