Site2Site with protected public addresses

Answered Question
Oct 20th, 2007

Hi,


I'm trying to create a simple site2site vpn link, the only thing "un-ordinary" is that the protected network behind the remote vpn-firewall consists of public ip addresses.

When trying to access the adresses, the firewall sends the inside client directly to the public address - not through the tunnel.

I've tried everything.. :(


Anyone have any idea how to solve this?


Thanks in advance,

Rasmus

Correct Answer by acomiskey about 9 years 4 months ago

Typically, lan to lan traffic is not nat'd. If you want to nat it you must change your crypto acl to include the nat'd traffic.


Right now you have...


access-list outside_cryptomap_RKI extended permit ip object-group int_scorex_servers object-group ext_rki_servers


What is defined as int_scorex_servers? Probably the private ip addresses of the servers right? You would have to change this to the nat'd ip address.


access-list outside_cryptomap_RKI extended permit ip nat'd.ip.address object-group ext_rki_servers


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Sat, 10/20/2007 - 07:55

The remote networks must be defined in your interesting traffic acl and your nat exemption acl. Post your config and what the remote network is.

blueoceanventure Sun, 10/21/2007 - 05:40

Hi,


Thanks for you reply.


First of all, a few details I forgot to mention:

It's an ASA 5510 running ver. 8.0(2)


Then to the config (slightly shortened). As you'll notice, there are two tunnels. The first one works fine. It terminates in a PIX in sweden, which has private ip addresses on it's inside interface.


The other one (that doesn't work) has public ip addresses on it's inside interface (and that's what I think is the source of this problem. Because of this I have made not NAT exemption rule, 'cause the traffic will only go from us to "them".


The object-group ext_rki_servers are the mentioned public "inside" network. The tunnel that works is 194.x.x.x and the one that doesn't is the 193.x.x.x.


Config:

access-list inside_nat0_outbound extended permit ip object-group net_all_internal object-group net_sweden

access-list traffic_from_inside extended permit ip object-group net_all_internal object-group net_sweden

access-list traffic_from_inside extended permit tcp object-group int_scorex_servers object-group ext_rki_servers object-group DM_INLINE_TCP_2 log debugging

access-list outside_cryptomap_RKI extended permit ip object-group int_scorex_servers object-group ext_rki_servers

access-list fiber_sweden_cryptomap extended permit ip object-group net_all_internal object-group net_sweden

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 102 access-list inside_nat_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

access-group traffic_from_outside in interface outside

access-group traffic_from_inside in interface inside

timeout xlate 3:00:00

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set access_dk_se esp-aes-192 esp-sha-hmac

crypto map outside_map_RKI 1 match address outside_cryptomap_RKI

crypto map outside_map_RKI 1 set peer 193.x.x.17

crypto map outside_map_RKI 1 set transform-set ESP-3DES-SHA

crypto map outside_map_RKI interface outside

crypto map access_dk_se_map 30 match address fiber_sweden_cryptomap

crypto map access_dk_se_map 30 set peer 194.x.x.42

crypto map access_dk_se_map 30 set transform-set access_dk_se

crypto map access_dk_se_map interface fiber

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp enable fiber

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-192

hash sha

group 5

lifetime 86400

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

tunnel-group 194.x.x.42 type ipsec-l2l

tunnel-group 194.x.x.42 ipsec-attributes

pre-shared-key *

tunnel-group 193.x.x.17 type ipsec-l2l

tunnel-group 193.x.x.17 ipsec-attributes

pre-shared-key *


acomiskey Sun, 10/21/2007 - 10:32

Shouldn't you also need...


access-list inside_nat0_outbound extended permit ip object-group int_scorex_servers object-group ext_rki_servers

blueoceanventure Mon, 10/22/2007 - 03:48

I don't know :)


But the traffic from our internal servers needs to be NAT'ed, so I don't think so?`


BR,

Rasmus

Correct Answer
acomiskey Mon, 10/22/2007 - 04:43

Typically, lan to lan traffic is not nat'd. If you want to nat it you must change your crypto acl to include the nat'd traffic.


Right now you have...


access-list outside_cryptomap_RKI extended permit ip object-group int_scorex_servers object-group ext_rki_servers


What is defined as int_scorex_servers? Probably the private ip addresses of the servers right? You would have to change this to the nat'd ip address.


access-list outside_cryptomap_RKI extended permit ip nat'd.ip.address object-group ext_rki_servers


blueoceanventure Mon, 10/22/2007 - 05:14

Correct, that group contains the internal ip addresses.


They are NAT'ed to the external firewall interface upon exit. So I should change the ACL?


Never would have thought of this myself, but I'll give it a go, and get back to you.


Thanks,

Rasmus

blueoceanventure Wed, 10/24/2007 - 01:27

You were right. I replaced with the public ip of the firewall and we're through :)


Thanks!



Actions

This Discussion