Policy Nat - ASA - 8.2 to 9.8

I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?

ASA Version 8.2(1)

access-list inside_nat2_outbound extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list inside_nat2_outbound extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list inside_nat10_outbound extended permit ip any any

global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *





ASA Version 9.8(1)

object network lan
 subnet 10.57.2.0 255.255.255.0
object network masked
 subnet 10.224.166.112 255.255.255.240
object network vendor-lan
 subnet x.x.x.x 255.255.252.0

access-list outside_4_cryptomap extended permit ip object lan object vendor-lan
access-list outside_4_cryptomap extended permit ip object masked object vendor-lan

nat (inside,outside) source static lan lan destination static vendor-lan vendor-lan
nat (inside,outside) source static masked masked destination static vendor-lan vendor-lan

object network masked
 nat (inside,outside) dynamic interface

crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer X.X.X.X
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 ikev1 pre-shared-key *
Matthew GalianoCTOAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArchiTech89IT Security EngineerCommented:
When you say that part of the configuration no longer works, what are the symptoms then?
0
Matthew GalianoCTOAuthor Commented:
Tunnel is down.
0
ArchiTech89IT Security EngineerCommented:
What do you get back when you do a sh isakmp sa and/or sh ipsec sa?

Also, in ASDM, if you chose Monitoring from the top, then the VPN button on the lower left, you can see the status of the VPNs. If you Filter By: IPsec Site-to-Site (the default, I think) you can see the current status of the VPN.

I scanned over the configuration and didn't see anything that jumped out at me. Can you ping the other side of the VPN at all? Basic connectivity has to be verified first...
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Matthew GalianoCTOAuthor Commented:
The VPN was working fine with the 5505. As soon as I installed the 5508 it stopped, so I know it's the config. I am pretty sure it has something to do with these lines:

global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

I am not sure how to replicate them on the 5508, specifically the priority. 0, 2 10.

Those commands are gone.
0
Matthew GalianoCTOAuthor Commented:
See below. Only showing 1 private subnet. Not sure why.


 Crypto map tag: outside_map, seq num: 4, local addr: x.x.x.x

      access-list outside_4_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
      local ident (addr/mask/prot/port): (10.57.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (x.x.x.x/255.255.252.0/0/0)
      current_peer: x.x.x.x


      #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 1161713B
      current inbound spi : 5928F7B3

    inbound esp sas:
      spi: 0x5928F7B3 (1495857075)
         SA State: active
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 30875648, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28442)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x1161713B (291598651)
         SA State: active
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 30875648, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28442)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
0
Matthew GalianoCTOAuthor Commented:
This example seems to be within the realm of what I need, but I still can't see traffic going across.

Policy NAT migration
Old Configuration

access-list policyacl1 extended permit ip host 10.50.50.50 10.0.0.0 255.0.0.0
 
global (outside) 1 172.23.57.170
nat (inside) 1 access-list policyacl1
 
access-list 1 permit ip any host 172.23.57.170
access-group 1 in interface outside
 
Migrated Configuration
access-list 1 extended permit ip any host 10.50.50.50
access-group 1 in interface outside
0
Matthew GalianoCTOAuthor Commented:
Figured it out.

Replaced these:

nat (inside,outside) source static lan lan destination static vendor-lan vendor-lan
nat (inside,outside) source static masked masked destination static vendor-lan vendor-lan

object network masked
 nat (inside,outside) dynamic interface


With this:

nat (inside,outside) source static lan masked destination static vendor-lan vendor-lan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Matthew GalianoCTOAuthor Commented:
Did my own research.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
iOS

From novice to tech pro — start learning today.