Solved

cisco ASA site-to-site vpn, nat to public IP on both sides

Posted on 2013-10-28
12
1,388 Views
Last Modified: 2013-11-09
I control one side of this - Cisco ASA 5505 running 8.4+.  I do not know what type of device on the other end.

ASA:
Inside: 192.168.1.254/24
Outside: 71.71.71.34/28   <-- not the actual IP.

I have an IPSec tunnel to the remote side  The local side is a single host (192.168.1.1), which I am NAT'ing to one of our public IP's (71.71.71.40).

Likewise, the remote side is NAT'ing to an IP as they enter their side.

My host (192.168.1.1) can successfully ping the IP's on the inside of the remote tunnel.

The remote side, however, cannot ping 71.71.71.40.

If a packet-tracer and actual pings from the host on my end suggest it's working, does it seem like the problem is on the remote side?
0
Comment
Question by:snowdog_2112
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 39607517
I do not know what type of device on the other end.  .....   I have an IPSec tunnel to the remote side  

You need to know what is at the other end.

You need to match Phase 1 variables (several possibilities). You need to match Phase 2 variables (more possibilities). You need to match the Pre Shared key. You may need to set NAT Traversal one end, possibly both. You need to set Main/Aggressive mode.

In short, you cannot set up the remote end (or the local end) without knowing both ends.

The local side is a single host (192.168.1.1),    My host (192.168.1.1)

Am I interpreting the above correctly?  You have the same subnet on each end? That will not work.

... Thinkpads_User
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39607939
If you have the same subnet on both ends, it will not work

Here a guide for Cisco ASA VPN with overlapping subnets

http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/#eightthree


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml
0
 

Author Comment

by:snowdog_2112
ID: 39609756
Please read the OP.  The tunnels establish and I can ping from my host to all of the IP's in the IPSec SA on the other side.  Knowing the device  type for the remote endpoint doesn't seem to make a difference - other than me being able to ask for the crypto map and acl's for our tunnel

They are NOT the same subnet on both sides.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39609765
Make sure you turn off your firewall on your host
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39609792
There are variables (Phases and Keys) that can prevent tunnels, and there are variables (mode and traversal) that can prevent traffic when the tunnel is formed.

Set up logging on your side and try to establish the tunnel.

What does the log say?  


... Thinkpads_User
0
 

Author Comment

by:snowdog_2112
ID: 39609938
not firewall - no firewall enabled.

I am seeing decap's increment from pings FROM the remote side, but no encaps.

I am not seeing anything in a wireshark on my host from the remote side, so it appears the pings are being decrypted and dropped, or sent somewhere I am not expecting.

I don't know how to packet-trace using the remote IP address coming through the tunnel.

e.g.,
packet-tracert input inside icmp 184.184.184.57 8 0 1921.68.1.0 detailed

in other words, assuning the packet is decrypted, it should egress the inside interface.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 90

Expert Comment

by:John Hurst
ID: 39609949
So what does the log say. That will normally list errors in tunnel transmission.

... Thinkpads_User
0
 

Author Comment

by:snowdog_2112
ID: 39610104
which log on which device?

Again - THE TUNNELS ARE UP.  I CAN PING IN ONE DIRECTION AND RECEIVE A REPLY.

The issue is either with the translation coming out of the tunnel on my side, or the ASA is sending the incoming packets to a different inside host than I am expecting.

Again, a packet-tracer may help, but I don't know the interface or syntax to trace packets coming IN via a tunnel.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39610114
Look on the log on the Cisco device you have and know about. Logs will tell you more than a packet tracer (at least on my Juniper devices they do).

... Thinkpads_User
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39613673
Is there a reason why you're NATting to a public IP? Normally you would excempt VPN traffic from NAT.

The remote side, however, cannot ping 71.71.71.40
Can they ping the internal address (192.168.1.1)?

It might be an idea to post a sanitized config here, that might show us more.
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 39621871
They cannot ping 192.168.1.1 because they don't know about 192.168.1.1.  They have to access my side by it's public IP.

There are plenty of reasons to NAT to a public IP going into a tunnel - one such is that the remote partner is a vendor who has VPN tunnels to *many* networks with overlapping private IP spaces.  The best method is for the remote sites to NAT to one of their public IP's, thereby ensuring the uniqueness of the tunnel policies.

We ended up solving the issue.  There are actually two tunnels to this vendor, with different remote IP spaces.  The crypto map ACL's for each ended up having both remote IP spaces (probably in the process of setting up or an attempt to fix it).
0
 

Author Closing Comment

by:snowdog_2112
ID: 39635436
Cisco TAC case resolved it.  Thanks for the suggestions.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now