Solved

CISCO ASA Site to Site VPN with double NAT

Posted on 2014-01-20
17
3,954 Views
Last Modified: 2014-02-02
Hi,

I'm trying to setup a site to site VPN between two Cisco ASA 5505:
On Site A, the ASA get a public routable IP.
On Site B, the ISP router has one public routable IP and one non-routable IP. The ASA outside ip points to the router non-routable IP.

On both sites I setup the remote public IP and the remote network. As viewed in logs, site B can send data to site A, but site A cannot send data to site B.

Site B:
91.183.90.90 -- router static public ip
192.168.254.1 - ASA outside ip
192.168.34.1 - ASA inside ip

How can I configure the ASA to bypass the ISP router NAT?

Thank you
0
Comment
Question by:jmbio
  • 9
  • 4
  • 3
  • +1
17 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39794446
Is the router doing one to one natting or PAT?
0
 
LVL 8

Expert Comment

by:amatson78
ID: 39794453
You would need to forward through the ports from the ISP router through to the internal network (192.168.254.x) to the ASA Outside Interface. This will pass through the IPSec and ISKAMP traffic to the ASA.

IKE, Internet Key Exchange = 500/udp
IPSec ESP, encapsulated security payload = IP protocol 50
IPSec AH, authenticated header = IP protocol 51
0
 

Author Comment

by:jmbio
ID: 39794572
I'm not sure about the router nat or pat configuration, it's a black box from Belgacom, but it is configured to let all traffic pass to the internal network, without blocking anything.

We currently have a working site to site VPN between those two sites, using a different firewall (Smoothwall), so I assume the traffic can pass through the ISP router and that it is more a problem with the ASA configuration itself.

On our working Smoothwall configuration, the site B router non routable IP is also defined in site A, as "remote ID value".
0
 
LVL 8

Expert Comment

by:amatson78
ID: 39795680
Can you post your logs for the VPN from the ASA side not working so we can see if there is any errors showing, that should point us in the right direction.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39798043
if possible can you share your VPN configuration for both working and non working ASA

you can use the following command

"show run crypto | inc crypto map"

ex:
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer A.A.A.A
crypto map outside_map 10 set transform-set ESP-AES-256-SHA

the set peer settings should list the public internet IP of the VPN peers. on this case that would be the outside interface of siteA, and the router outside interface of site B.

if there were no changes on the site B router, I'm assuming it is doing proper NATing.

next thing i would like to check is if the access-list for both site matches, sometimes miss-match in the VPN ACL between site can cause one-way communication between VPN. Double check the match address ACL for both site if they reflect the same
0
 

Author Comment

by:jmbio
ID: 39799277
Here is the result of show run crypto | inc crypto map on Site A:

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 91.183.89.90
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 91.183.89.90
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 91.183.89.90
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside

and on Site B:
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 78.155.15.181
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
0
 

Author Comment

by:jmbio
ID: 39799376
the ACL on site A:
object network Vise subnet 192.168.34.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 object Vise
access-list outside_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.34.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 object Vise

and on Site B:
object network Sion_LAN subnet 192.168.0.0 255.255.255.0
object network Vise_LAN subnet 192.168.34.0 255.255.255.0
access-list outside_cryptomap extended permit ip object Vise_LAN object Sion_LAN
access-list outside_cryptomap_1 extended permit ip object Vise_LAN object Sion_LAN
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39800202
why do you have mutiple cryptomap for the same peer?

crypto map outside_map 1 set peer 91.183.89.90
crypto map outside_map 2 set peer 91.183.89.90
crypto map outside_map 3 set peer 91.183.89.90

for VPN setup, you only need one, and have the match address ACL add all those needed communication. also, the match address ACL are duplicates.

if you can try to remove the other two VPN configuration and be left with only this.

on siteA:
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 91.183.89.90
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
!
crypto map outside_map interface outside
!
!
object network Vise subnet 192.168.34.0 255.255.255.0
!
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 object Vise




and on Site B:
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 78.155.15.181
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
!
crypto map outside_map interface outside
!
!
object network Sion_LAN subnet 192.168.0.0 255.255.255.0
object network Vise_LAN subnet 192.168.34.0 255.255.255.0
!
access-list outside_cryptomap_1 extended permit ip object Vise_LAN object Sion_LAN


Try to remove the following on siteA:
crypto map outside_map 2
crypto map outside_map 3

and try to avoid duplicate ACLs on the match address


let me know if this helps, thanks!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:jmbio
ID: 39805992
We have cleaned both side of the VPN as suggested:
Result of the command: "show run crypto | inc crypto map"

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 91.183.89.90
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside



Now I have the following entries in the log of Site A, nothing in Site B:

5      Jan 24 2014      10:28:45      750002                              Local:178.237.90.186:500 Remote:91.183.89.90:500 Username:Unknown Received a IKE_INIT_SA request

4      Jan 24 2014      10:29:16      750003                              Local:178.237.90.186:500 Remote:91.183.89.90:500 Username:Unknown Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired
0
 
LVL 8

Expert Comment

by:amatson78
ID: 39808034
Sounds like a firewall or something is blocking. Can you get PCAPs?
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39811103
can you double check the configured tunnel-group as well?

"show run tunnel-group"

sample output:
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 ikev1 pre-shared-key *****

please make sure that the pre-shared key is configured the same for both sites. if you are not sure, you can re configured a new preshared key so as to match the configuration between sites.

also, the tunnel-group has to be "clean", try to remove duplicate tunnel-group pointing to same peer IP.

let me know if this helps
0
 

Author Comment

by:jmbio
ID: 39811363
Here is the tunnel-group on both side:

Site A:
tunnel-group 91.183.89.90 type ipsec-l2l
tunnel-group 91.183.89.90 general-attributes
 default-group-policy GroupPolicy_91.183.89.90
tunnel-group 91.183.89.90 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Site B:
tunnel-group 178.237.90.186 type ipsec-l2l
tunnel-group 178.237.90.186 general-attributes
 default-group-policy GroupPolicy_178.237.90.186
tunnel-group 178.237.90.186 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

We have also double-checked the key.

I think the tunnel-group is correct, we don't have any duplicates.

Don't we have to indicate to the ASA that there is a double nat? In our current VPN config, there is no place where we have enter the ASA outside IP 192.168.254.1.
0
 

Author Comment

by:jmbio
ID: 39812224
From site A, the packet tracer from inside site A to inside site B is allowed.
From site B, the packet tracer from inside site B to inside site A is also allowed.
(screenshot attached)

But the VPN is not working.
2014-01-27-13-53-58-Cisco-ASDM-P.jpg
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39813014
actually double NAT means NATing both source IP and destination IP. In older versions of ASA software 8.3, hiding both source and destination IP was done by doing two dynamic NAT to hide source first, then destination. In newer ASA version, this can be done easily with the static NAT. but i do see your point and might feel where the issue is.

at site A, internal subnet going to outside (which still uses private IP), what type of NAT statement is there? it should be an identity NAT (avoid NATing it to the outside interface with a private IP). if you can provide me the NAT configuration relating to these VPN setup, i can check. but what you need to double check basically is that the internal subnet (192.168.0.0 255.255.255.0) has an identity NAT (NAT-exempt) configure
0
 

Author Comment

by:jmbio
ID: 39814271
I don't have any special NAT configuration, only the default one:

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic obj_any interface  
    translate_hits = 313, untranslate_hits = 5

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface  
    translate_hits = 0, untranslate_hits = 0

After adding the rule
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

The packet is no more traverssing in the packet-tracer, as shown in the attached screenshot. Without this nat exempt directive, the packet-tracer is allowing the packet.
2014-01-28-08-26-34-Cisco-ASDM-P.jpg
0
 

Accepted Solution

by:
jmbio earned 0 total points
ID: 39817011
Dear all,

We have reseted both firewalls to factory default, then reconfigure the VPN again, and the VPN is working now. I don't understand exactly why it didn't work with the previous configuration.
Anyway thank you all for your help and support,
Jean-Michel
0
 

Author Closing Comment

by:jmbio
ID: 39827483
Problem has been solved by starting from scratch.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now