Solved

cisco ASA site-to-site vpn, nat to public IP on both sides

Posted on 2013-10-28
12
1,444 Views
Last Modified: 2013-11-09
I control one side of this - Cisco ASA 5505 running 8.4+.  I do not know what type of device on the other end.

ASA:
Inside: 192.168.1.254/24
Outside: 71.71.71.34/28   <-- not the actual IP.

I have an IPSec tunnel to the remote side  The local side is a single host (192.168.1.1), which I am NAT'ing to one of our public IP's (71.71.71.40).

Likewise, the remote side is NAT'ing to an IP as they enter their side.

My host (192.168.1.1) can successfully ping the IP's on the inside of the remote tunnel.

The remote side, however, cannot ping 71.71.71.40.

If a packet-tracer and actual pings from the host on my end suggest it's working, does it seem like the problem is on the remote side?
0
Comment
Question by:snowdog_2112
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 93

Expert Comment

by:John Hurst
ID: 39607517
I do not know what type of device on the other end.  .....   I have an IPSec tunnel to the remote side  

You need to know what is at the other end.

You need to match Phase 1 variables (several possibilities). You need to match Phase 2 variables (more possibilities). You need to match the Pre Shared key. You may need to set NAT Traversal one end, possibly both. You need to set Main/Aggressive mode.

In short, you cannot set up the remote end (or the local end) without knowing both ends.

The local side is a single host (192.168.1.1),    My host (192.168.1.1)

Am I interpreting the above correctly?  You have the same subnet on each end? That will not work.

... Thinkpads_User
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39607939
If you have the same subnet on both ends, it will not work

Here a guide for Cisco ASA VPN with overlapping subnets

http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/#eightthree


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
0
 

Author Comment

by:snowdog_2112
ID: 39609756
Please read the OP.  The tunnels establish and I can ping from my host to all of the IP's in the IPSec SA on the other side.  Knowing the device  type for the remote endpoint doesn't seem to make a difference - other than me being able to ask for the crypto map and acl's for our tunnel

They are NOT the same subnet on both sides.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 18

Expert Comment

by:fgasimzade
ID: 39609765
Make sure you turn off your firewall on your host
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39609792
There are variables (Phases and Keys) that can prevent tunnels, and there are variables (mode and traversal) that can prevent traffic when the tunnel is formed.

Set up logging on your side and try to establish the tunnel.

What does the log say?  


... Thinkpads_User
0
 

Author Comment

by:snowdog_2112
ID: 39609938
not firewall - no firewall enabled.

I am seeing decap's increment from pings FROM the remote side, but no encaps.

I am not seeing anything in a wireshark on my host from the remote side, so it appears the pings are being decrypted and dropped, or sent somewhere I am not expecting.

I don't know how to packet-trace using the remote IP address coming through the tunnel.

e.g.,
packet-tracert input inside icmp 184.184.184.57 8 0 1921.68.1.0 detailed

in other words, assuning the packet is decrypted, it should egress the inside interface.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39609949
So what does the log say. That will normally list errors in tunnel transmission.

... Thinkpads_User
0
 

Author Comment

by:snowdog_2112
ID: 39610104
which log on which device?

Again - THE TUNNELS ARE UP.  I CAN PING IN ONE DIRECTION AND RECEIVE A REPLY.

The issue is either with the translation coming out of the tunnel on my side, or the ASA is sending the incoming packets to a different inside host than I am expecting.

Again, a packet-tracer may help, but I don't know the interface or syntax to trace packets coming IN via a tunnel.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39610114
Look on the log on the Cisco device you have and know about. Logs will tell you more than a packet tracer (at least on my Juniper devices they do).

... Thinkpads_User
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39613673
Is there a reason why you're NATting to a public IP? Normally you would excempt VPN traffic from NAT.

The remote side, however, cannot ping 71.71.71.40
Can they ping the internal address (192.168.1.1)?

It might be an idea to post a sanitized config here, that might show us more.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39621871
They cannot ping 192.168.1.1 because they don't know about 192.168.1.1.  They have to access my side by it's public IP.

There are plenty of reasons to NAT to a public IP going into a tunnel - one such is that the remote partner is a vendor who has VPN tunnels to *many* networks with overlapping private IP spaces.  The best method is for the remote sites to NAT to one of their public IP's, thereby ensuring the uniqueness of the tunnel policies.

We ended up solving the issue.  There are actually two tunnels to this vendor, with different remote IP spaces.  The crypto map ACL's for each ended up having both remote IP spaces (probably in the process of setting up or an attempt to fix it).
0
 

Author Closing Comment

by:snowdog_2112
ID: 39635436
Cisco TAC case resolved it.  Thanks for the suggestions.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question