Problem with ASA5505 VPN tunnel

Answered Question
Sep 8th, 2008

The business need is for an unrouted VLAN on site A to go directly out to an internet service at site B.

Site A and Site B are connected by a 100MB WES service.

Site A is a campus site with around 25 switches. The unrouted VLAN on site A is for engineer access only so they can access their companys remote access service. This VLAN needs to stay unrouted so there is very little potential for compromise onto the live corporate network.

The solution I just put in place is to put an ASA5505 as the dhcp server for the unrouted VLAN at Site A. All clients on this unrouted VLAN get a 192.168.100.x address. The outside interface on the ASA5505 at Site A is put onto the live network to allow a site to site VPN tunnel to be set up between the ASA5505 and the Internet Firewall - another ASA5505

The Site A ASA5505 has been set up with inside and outside interfaces with the same security level. 192.168.100.x subnet is exempt from NAT. Traffic is configured to pass over interfaces with the same security level and the L2L tunnel is coming up.

But I can't get any connectivity to the internet from any host on the 192.168.100.x VLAN.

This is made a little more complex because the outside interfaces on both ASA's are the corporate network.......

The default route of the Site B ASA5505 is 87.xx.xx.1, the ISP router.

The Site B ASA5505 plugs directly into the the ISP router.

Site A ASA5505

--------------------

access-list no-nat extended permit ip 192.168.100.0 255.255.255.0 any

access-list Access OUT extended permit ip 192.168.100.0 255.255.255.0 any

nat (inside) 0 access-list no-nat

access-group no-nat in interface inside

route outside 0.0.0.0 0.0.0.0 10.0.99.254 1

crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac

crypto map vpn-traffic 10 match address Access OUT

crypto map vpn-traffic 10 set peer ##Site B IP address##

crypto map vpn-traffic 10 set transform-set AES-256

crypto map vpn-traffic interface outside

tunnel-group ##Site B IP address## type ipsec-l2l

tunnel-group ##Site B IP address## ipsec-attributes

pre-shared-key *

Site B ASA5505

-------------------

same-security-traffic permit intra-interface

access-list no-nat extended permit ip 192.168.100.0 255.255.255.240 any

access-list outside_access_in extended permit ip any any

global (inside) 1 interface

nat (inside) 0 access-list no-nat

nat (outside) 1 192.168.100.0 255.255.255.0

access-group no-nat in interface inside

access-group outside_access_in in interface outside

crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac

crypto map vpn-traffic 10 match address wootton-hall

crypto map vpn-traffic 10 set peer ##Site A IP Address##

crypto map vpn-traffic 10 set transform-set set1

crypto map vpn-traffic interface outside

I've spent a while on this and really need some guidance form the experts out there!

Can you help me find out where I've gone wrong?

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 2 months ago

Dan

There are some parts of the config that you posted which puzzle me, such as assigning the default route on the inside interface. But these things are not the core of your problem. I agree that probably the core of your problem is the nonat access list. If I understand your requirements correctly what you need is that 192.168.100.0 is not translated when going to addresses at B and is translated when going to the Internet. But your access list says to never translate 192.168.100.0 since your access list has the destination as any:

access-list no-nat extended permit ip 192.168.100.0 255.255.255.0 any

My suggestion is to rewrite this access list and change the "any" destination to be the addresses behind B (the LAN at B).

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Mon, 09/08/2008 - 11:41

Dan

The first issue that I see is a mismatch between site A and site B abour the size of the network for 192.168.100.0. Site A consistently has it as a /24. However no-nat at site B defines it differently:

access-list no-nat extended permit ip 192.168.100.0 255.255.255.240 any

I suggest that you change this to a /24 mask.

The second issue that I see is a logical issue. site A treats 192.168.100.0 as a local network (it is the source address in the access lists) and this seems right. But site B is also treating 192.168.100.0 as the source address in its access lists and that does not seem right. Can you clarify what is going on at site B?

And lastly the no-nat says to not translate 192.168.100.0 going to anywhere. You do not want to translate these addresses if they are going through the VPN tunnel. But you certainly would want to translate them if they are going out to the Internet from site B. So some change in your no-nat at site B seems to be necessary.

HTH

Rick

cooper.dan Mon, 09/08/2008 - 23:42

Hi Rick,

Thanks for the help!

The situation is that the 192 subnet at site A needs to get to the internet.

Site B is other end of the VPN tunnel to get them there. The 192 traffic from site A should be hitting the outside interface of site B, getting the global NAT of the inside interface xx.xx.xx.14 (valid internet IP address)and going out to the internet.

If I remove the 192 no-nat statement on site B the VPN tunnel does not establish.

Does this help?

I'll add a bit more code from the Site B end to clarify what I'm trying to do.

Thanks again

Dan

Attachment: 
Correct Answer
Richard Burts Wed, 09/10/2008 - 07:19

Dan

There are some parts of the config that you posted which puzzle me, such as assigning the default route on the inside interface. But these things are not the core of your problem. I agree that probably the core of your problem is the nonat access list. If I understand your requirements correctly what you need is that 192.168.100.0 is not translated when going to addresses at B and is translated when going to the Internet. But your access list says to never translate 192.168.100.0 since your access list has the destination as any:

access-list no-nat extended permit ip 192.168.100.0 255.255.255.0 any

My suggestion is to rewrite this access list and change the "any" destination to be the addresses behind B (the LAN at B).

HTH

Rick

cooper.dan Mon, 09/22/2008 - 08:10

Hi Rick,

I've removed the no-nat statements and changed the inside/outside assignation on the ASA.

Now it works!

Thanks for the help Rick!

Regards

Dan

Richard Burts Mon, 09/22/2008 - 09:30

Dan

Thank you for posting back to the thread and indicating that your problem was solved. Also thanks for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that there was a response which lead to a solution of the problem.

HTH

Rick

Actions

This Discussion