Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1670
  • Last Modified:

cisco ASA site-to-site vpn, nat to public IP on both sides

I control one side of this - Cisco ASA 5505 running 8.4+.  I do not know what type of device on the other end.

ASA:
Inside: 192.168.1.254/24
Outside: 71.71.71.34/28   <-- not the actual IP.

I have an IPSec tunnel to the remote side  The local side is a single host (192.168.1.1), which I am NAT'ing to one of our public IP's (71.71.71.40).

Likewise, the remote side is NAT'ing to an IP as they enter their side.

My host (192.168.1.1) can successfully ping the IP's on the inside of the remote tunnel.

The remote side, however, cannot ping 71.71.71.40.

If a packet-tracer and actual pings from the host on my end suggest it's working, does it seem like the problem is on the remote side?
0
snowdog_2112
Asked:
snowdog_2112
  • 5
  • 4
  • 2
  • +1
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
I do not know what type of device on the other end.  .....   I have an IPSec tunnel to the remote side  

You need to know what is at the other end.

You need to match Phase 1 variables (several possibilities). You need to match Phase 2 variables (more possibilities). You need to match the Pre Shared key. You may need to set NAT Traversal one end, possibly both. You need to set Main/Aggressive mode.

In short, you cannot set up the remote end (or the local end) without knowing both ends.

The local side is a single host (192.168.1.1),    My host (192.168.1.1)

Am I interpreting the above correctly?  You have the same subnet on each end? That will not work.

... Thinkpads_User
0
 
fgasimzadeCommented:
If you have the same subnet on both ends, it will not work

Here a guide for Cisco ASA VPN with overlapping subnets

http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/#eightthree


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
0
 
snowdog_2112Author Commented:
Please read the OP.  The tunnels establish and I can ping from my host to all of the IP's in the IPSec SA on the other side.  Knowing the device  type for the remote endpoint doesn't seem to make a difference - other than me being able to ask for the crypto map and acl's for our tunnel

They are NOT the same subnet on both sides.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
fgasimzadeCommented:
Make sure you turn off your firewall on your host
0
 
John HurstBusiness Consultant (Owner)Commented:
There are variables (Phases and Keys) that can prevent tunnels, and there are variables (mode and traversal) that can prevent traffic when the tunnel is formed.

Set up logging on your side and try to establish the tunnel.

What does the log say?  


... Thinkpads_User
0
 
snowdog_2112Author Commented:
not firewall - no firewall enabled.

I am seeing decap's increment from pings FROM the remote side, but no encaps.

I am not seeing anything in a wireshark on my host from the remote side, so it appears the pings are being decrypted and dropped, or sent somewhere I am not expecting.

I don't know how to packet-trace using the remote IP address coming through the tunnel.

e.g.,
packet-tracert input inside icmp 184.184.184.57 8 0 1921.68.1.0 detailed

in other words, assuning the packet is decrypted, it should egress the inside interface.
0
 
John HurstBusiness Consultant (Owner)Commented:
So what does the log say. That will normally list errors in tunnel transmission.

... Thinkpads_User
0
 
snowdog_2112Author Commented:
which log on which device?

Again - THE TUNNELS ARE UP.  I CAN PING IN ONE DIRECTION AND RECEIVE A REPLY.

The issue is either with the translation coming out of the tunnel on my side, or the ASA is sending the incoming packets to a different inside host than I am expecting.

Again, a packet-tracer may help, but I don't know the interface or syntax to trace packets coming IN via a tunnel.
0
 
John HurstBusiness Consultant (Owner)Commented:
Look on the log on the Cisco device you have and know about. Logs will tell you more than a packet tracer (at least on my Juniper devices they do).

... Thinkpads_User
0
 
Ernie BeekCommented:
Is there a reason why you're NATting to a public IP? Normally you would excempt VPN traffic from NAT.

The remote side, however, cannot ping 71.71.71.40
Can they ping the internal address (192.168.1.1)?

It might be an idea to post a sanitized config here, that might show us more.
0
 
snowdog_2112Author Commented:
They cannot ping 192.168.1.1 because they don't know about 192.168.1.1.  They have to access my side by it's public IP.

There are plenty of reasons to NAT to a public IP going into a tunnel - one such is that the remote partner is a vendor who has VPN tunnels to *many* networks with overlapping private IP spaces.  The best method is for the remote sites to NAT to one of their public IP's, thereby ensuring the uniqueness of the tunnel policies.

We ended up solving the issue.  There are actually two tunnels to this vendor, with different remote IP spaces.  The crypto map ACL's for each ended up having both remote IP spaces (probably in the process of setting up or an attempt to fix it).
0
 
snowdog_2112Author Commented:
Cisco TAC case resolved it.  Thanks for the suggestions.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now