ASA: Site-to-Site VPN with NAT Interesting Traffic to a Public IP

shugonaka
shugonaka used Ask the Experts™
on
Hi Experts, I would like to get some help with troubleshooting a Site-to-Site VPN connectivity between two ASAs. I need to NAT the internal subnet on both sites to a pubic IP address in order to avoid overlapping subnets. I can establish a VPN tunnel as long as I ping the NAT address (the tunnel does not come up if I ping any host on the internal subnet). The issue I am having is that I am not able to ping any hosts on the subnet from either end after the tunnel is established.


Site A outside IP is 50.50.50.2 (Internet G0/0 is 50.50.50.1)

Site B outside IP is 60.60.60.2 (Internet G0/1 is 60.60.60.1)

Site A and Site B can ping each other outside IP.

Site A inside subnet is 10.16.0.0/24 and is NAT to 50.50.50.3

Site B inside subnet is 10.10.0.0/24 and is NAT to 60.60.60.3

 Simple nework diagram
vpn-pat-overlapping-subnets.jpeg.jpg

 

ASA Site A:

ASA Version 9.7(1)4
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 50.50.50.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.16.0.1 255.255.0.0
!
object network obj-siteA-real
subnet 10.16.0.0 255.255.0.0
object network obj-siteA-map
host 50.50.50.3
object network obj-siteB-real
subnet 10.10.0.0 255.255.0.0
object network obj-siteB-map
host 60.60.60.3
object-group service ogs-srv-icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute

access-list acl-outside-in extended permit object-group ogs-srv-icmp object obj-siteB-map any log
access-list acl-outside-in extended deny ip any any log
access-list acl-enc-domain-siteB extended permit ip object obj-siteA-map object obj-siteB-map

nat (inside,outside) source dynamic obj-siteA-real obj-siteA-map destination static obj-siteB-map obj-siteB-map
!
object network obj-siteA-real
nat (inside,outside) dynamic interface
access-group acl-outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 50.50.50.1 1

no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal ts-aes256-sha256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map cmap-outside 1 match address acl-enc-domain-siteB
crypto map cmap-outside 1 set peer 60.60.60.2
crypto map cmap-outside 1 set ikev2 ipsec-proposal ts-aes256-sha256
crypto map cmap-outside 1 set security-association lifetime seconds 28800
crypto map cmap-outside interface outside

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group 60.60.60.2 type ipsec-l2l
tunnel-group 60.60.60.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!


ASA Site B:

ASA Version 9.7(1)4
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 60.60.60.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.0.1 255.255.0.0
!
object network obj-siteB-real
subnet 10.10.0.0 255.255.0.0
object network obj-siteB-map
host 60.60.60.3
object network obj-siteA-real
subnet 10.16.0.0 255.255.0.0
object network obj-siteA-map
host 50.50.50.3
object service obj-icmp
service icmp
object-group service ogs-srv-icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
access-list acl-outside-in extended permit object-group ogs-srv-icmp object obj-siteA-mapany log
access-list acl-outside-in extended deny ip any any log
access-list acl-enc-domain-siteA extended permit ip object obj-siteB-map object obj-siteA-map

nat (inside,outside) source dynamic obj-siteB-real obj-siteB-map destination static obj-siteA-map obj-siteA-map
!
object network obj-siteB-real
nat (inside,outside) dynamic interface
access-group acl-outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 60.60.60.1 1


no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal ts-aes256-sha256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map cmap-outside 1 match address acl-enc-domain-siteA
crypto map cmap-outside 1 set peer 50.50.50.2
crypto map cmap-outside 1 set ikev2 ipsec-proposal ts-aes256-sha256
crypto map cmap-outside 1 set security-association lifetime seconds 28800
crypto map cmap-outside interface outside

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group 50.50.50.2 type ipsec-l2l
tunnel-group 50.50.50.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Pete LongTechnical Consultant

Commented:
>>in order to avoid overlapping subnets.

But you don't have overlapping subnets? And if you did just do this;
Cisco ASA: VPNs With Overlapping Subnets

</p>

Author

Commented:
Hi Pete, thanks for your response! I did read your webpage before posting here. I followed the instructions and still not able to get it to work. I am not sure if it's because I am tying to NAT the internal subnet to a single IP address instead of a network subnet. I can get the tunnel come up if I ping the NAT address from either end but the PC on either site is not able to ping each other.

Author

Commented:
One thing I see when ping from Site A PC to Site B PC while VPN is up is that the counter for acl-enc-domin-siteB does not increase but the counter for auto-NAT increase. So I think the traffic is not being encrypted and routed through the tunnel for some reason.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial