Solved

cisco ASA site-to-site vpn, nat to public IP on both sides

Posted on 2013-10-28
12
1,418 Views
Last Modified: 2013-11-09
I control one side of this - Cisco ASA 5505 running 8.4+.  I do not know what type of device on the other end.

ASA:
Inside: 192.168.1.254/24
Outside: 71.71.71.34/28   <-- not the actual IP.

I have an IPSec tunnel to the remote side  The local side is a single host (192.168.1.1), which I am NAT'ing to one of our public IP's (71.71.71.40).

Likewise, the remote side is NAT'ing to an IP as they enter their side.

My host (192.168.1.1) can successfully ping the IP's on the inside of the remote tunnel.

The remote side, however, cannot ping 71.71.71.40.

If a packet-tracer and actual pings from the host on my end suggest it's working, does it seem like the problem is on the remote side?
0
Comment
Question by:snowdog_2112
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 91

Expert Comment

by:John Hurst
ID: 39607517
I do not know what type of device on the other end.  .....   I have an IPSec tunnel to the remote side  

You need to know what is at the other end.

You need to match Phase 1 variables (several possibilities). You need to match Phase 2 variables (more possibilities). You need to match the Pre Shared key. You may need to set NAT Traversal one end, possibly both. You need to set Main/Aggressive mode.

In short, you cannot set up the remote end (or the local end) without knowing both ends.

The local side is a single host (192.168.1.1),    My host (192.168.1.1)

Am I interpreting the above correctly?  You have the same subnet on each end? That will not work.

... Thinkpads_User
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39607939
If you have the same subnet on both ends, it will not work

Here a guide for Cisco ASA VPN with overlapping subnets

http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/#eightthree


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
0
 

Author Comment

by:snowdog_2112
ID: 39609756
Please read the OP.  The tunnels establish and I can ping from my host to all of the IP's in the IPSec SA on the other side.  Knowing the device  type for the remote endpoint doesn't seem to make a difference - other than me being able to ask for the crypto map and acl's for our tunnel

They are NOT the same subnet on both sides.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39609765
Make sure you turn off your firewall on your host
0
 
LVL 91

Expert Comment

by:John Hurst
ID: 39609792
There are variables (Phases and Keys) that can prevent tunnels, and there are variables (mode and traversal) that can prevent traffic when the tunnel is formed.

Set up logging on your side and try to establish the tunnel.

What does the log say?  


... Thinkpads_User
0
 

Author Comment

by:snowdog_2112
ID: 39609938
not firewall - no firewall enabled.

I am seeing decap's increment from pings FROM the remote side, but no encaps.

I am not seeing anything in a wireshark on my host from the remote side, so it appears the pings are being decrypted and dropped, or sent somewhere I am not expecting.

I don't know how to packet-trace using the remote IP address coming through the tunnel.

e.g.,
packet-tracert input inside icmp 184.184.184.57 8 0 1921.68.1.0 detailed

in other words, assuning the packet is decrypted, it should egress the inside interface.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 91

Expert Comment

by:John Hurst
ID: 39609949
So what does the log say. That will normally list errors in tunnel transmission.

... Thinkpads_User
0
 

Author Comment

by:snowdog_2112
ID: 39610104
which log on which device?

Again - THE TUNNELS ARE UP.  I CAN PING IN ONE DIRECTION AND RECEIVE A REPLY.

The issue is either with the translation coming out of the tunnel on my side, or the ASA is sending the incoming packets to a different inside host than I am expecting.

Again, a packet-tracer may help, but I don't know the interface or syntax to trace packets coming IN via a tunnel.
0
 
LVL 91

Expert Comment

by:John Hurst
ID: 39610114
Look on the log on the Cisco device you have and know about. Logs will tell you more than a packet tracer (at least on my Juniper devices they do).

... Thinkpads_User
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39613673
Is there a reason why you're NATting to a public IP? Normally you would excempt VPN traffic from NAT.

The remote side, however, cannot ping 71.71.71.40
Can they ping the internal address (192.168.1.1)?

It might be an idea to post a sanitized config here, that might show us more.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39621871
They cannot ping 192.168.1.1 because they don't know about 192.168.1.1.  They have to access my side by it's public IP.

There are plenty of reasons to NAT to a public IP going into a tunnel - one such is that the remote partner is a vendor who has VPN tunnels to *many* networks with overlapping private IP spaces.  The best method is for the remote sites to NAT to one of their public IP's, thereby ensuring the uniqueness of the tunnel policies.

We ended up solving the issue.  There are actually two tunnels to this vendor, with different remote IP spaces.  The crypto map ACL's for each ended up having both remote IP spaces (probably in the process of setting up or an attempt to fix it).
0
 

Author Closing Comment

by:snowdog_2112
ID: 39635436
Cisco TAC case resolved it.  Thanks for the suggestions.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP on ASA 3 51
FreeNAS sever setup so I can securely access my files from anywhere 4 32
WAN Site Edge Routers 15 49
Adding VPN user with Cisco RV110W changes IP address 7 22
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now