asked on Policy Nat - ASA - 8.2 to 9.8
I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?
ASA Version 8.2(1)
access-list inside_nat2_outbound extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list inside_nat2_outbound extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list inside_nat10_outbound extended permit ip any any
global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
ASA Version 9.8(1)
object network lan
subnet 10.57.2.0 255.255.255.0
object network masked
subnet 10.224.166.112 255.255.255.240
object network vendor-lan
subnet x.x.x.x 255.255.252.0
access-list outside_4_cryptomap extended permit ip object lan object vendor-lan
access-list outside_4_cryptomap extended permit ip object masked object vendor-lan
nat (inside,outside) source static lan lan destination static vendor-lan vendor-lan
nat (inside,outside) source static masked masked destination static vendor-lan vendor-lan
object network masked
nat (inside,outside) dynamic interface
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer X.X.X.X
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *
ASA Version 8.2(1)
access-list inside_nat2_outbound extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list inside_nat2_outbound extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list inside_nat10_outbound extended permit ip any any
global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
ASA Version 9.8(1)
object network lan
subnet 10.57.2.0 255.255.255.0
object network masked
subnet 10.224.166.112 255.255.255.240
object network vendor-lan
subnet x.x.x.x 255.255.252.0
access-list outside_4_cryptomap extended permit ip object lan object vendor-lan
access-list outside_4_cryptomap extended permit ip object masked object vendor-lan
nat (inside,outside) source static lan lan destination static vendor-lan vendor-lan
nat (inside,outside) source static masked masked destination static vendor-lan vendor-lan
object network masked
nat (inside,outside) dynamic interface
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer X.X.X.X
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *
iOSInternet Protocol SecurityCiscoVPN
Last Comment
Matthew Galiano
When you say that part of the configuration no longer works, what are the symptoms then?
ASKER
Tunnel is down.
What do you get back when you do a sh isakmp sa and/or sh ipsec sa?
Also, in ASDM, if you chose Monitoring from the top, then the VPN button on the lower left, you can see the status of the VPNs. If you Filter By: IPsec Site-to-Site (the default, I think) you can see the current status of the VPN.
I scanned over the configuration and didn't see anything that jumped out at me. Can you ping the other side of the VPN at all? Basic connectivity has to be verified first...
Also, in ASDM, if you chose Monitoring from the top, then the VPN button on the lower left, you can see the status of the VPNs. If you Filter By: IPsec Site-to-Site (the default, I think) you can see the current status of the VPN.
I scanned over the configuration and didn't see anything that jumped out at me. Can you ping the other side of the VPN at all? Basic connectivity has to be verified first...
ASKER
The VPN was working fine with the 5505. As soon as I installed the 5508 it stopped, so I know it's the config. I am pretty sure it has something to do with these lines:
global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound
I am not sure how to replicate them on the 5508, specifically the priority. 0, 2 10.
Those commands are gone.
global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound
I am not sure how to replicate them on the 5508, specifically the priority. 0, 2 10.
Those commands are gone.
ASKER
See below. Only showing 1 private subnet. Not sure why.
Crypto map tag: outside_map, seq num: 4, local addr: x.x.x.x
access-list outside_4_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
local ident (addr/mask/prot/port): (10.57.1.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.252.0/0/0
current_peer: x.x.x.x
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 1161713B
current inbound spi : 5928F7B3
inbound esp sas:
spi: 0x5928F7B3 (1495857075)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 30875648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28442)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x1161713B (291598651)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 30875648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28442)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 4, local addr: x.x.x.x
access-list outside_4_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
local ident (addr/mask/prot/port): (10.57.1.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.252.0/0/0
current_peer: x.x.x.x
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 1161713B
current inbound spi : 5928F7B3
inbound esp sas:
spi: 0x5928F7B3 (1495857075)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 30875648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28442)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x1161713B (291598651)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 30875648, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28442)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASKER
This example seems to be within the realm of what I need, but I still can't see traffic going across.
Policy NAT migration
Old Configuration
access-list policyacl1 extended permit ip host 10.50.50.50 10.0.0.0 255.0.0.0
global (outside) 1 172.23.57.170
nat (inside) 1 access-list policyacl1
access-list 1 permit ip any host 172.23.57.170
access-group 1 in interface outside
Migrated Configuration
access-list 1 extended permit ip any host 10.50.50.50
access-group 1 in interface outside
Policy NAT migration
Old Configuration
access-list policyacl1 extended permit ip host 10.50.50.50 10.0.0.0 255.0.0.0
global (outside) 1 172.23.57.170
nat (inside) 1 access-list policyacl1
access-list 1 permit ip any host 172.23.57.170
access-group 1 in interface outside
Migrated Configuration
access-list 1 extended permit ip any host 10.50.50.50
access-group 1 in interface outside
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Did my own research.