IPSEC site to site vpn with NAT on one of the tunnel endpoints‏

Unanswered Question
Feb 19th, 2009

Hi All

I am having problems with L2L ipsec VPN, as the tunnel is not initiating at all... I have ASA on the A-end and PIX on B-end. The ASA on the A-end is also doing NAT of both source and destination and it is also tunnel endpoint.

the topology is like this. Note the LAN addresses specified are not directly connected but behind the ASA and PIX

(10.1.1.0/24) ----- --A-end - (ASA)--------------------------- INTERNET -------------------- B-end PIX ---- (10.20.20.0/24)

NAT ON ASA -

10.1.1.1/32 (server) NAT'ed TO 80.2.2.2/32 - SO B-end see's this server as 80.2.2.2 address

10.2.2.0/24 NAT TO 10.20.20.0/24 - So A-end see's B-end subnet as 10.2.2.0/24

The problem is that the tunnel is not even initiating... i have attached config...

A-end ASA

ASA Version 7.2(3)

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 90.1.1.1 255.255.255.128 standby 90.1.1.2

!

interface GigabitEthernet0/2

nameif outside

security-level 0

ip address 80.1.1.1 255.255.255.128 standby 80.1.1.2

access-list proxy_acl extended permit ip host 80.2.2.2 10.20.10.32 10.20.20.0 255.255.255.0

access-list proxy_acl extended permit ip 10.20.20.0 255.255.255.0 80.2.2.2 255.255.255.255

access-list outside extended permit icmp any any

access-list outside extended permit esp any any

access-list outside extended permit udp any any eq isakmp

access-list inside extended permit ip any any

access-list policy-nat-1 extended permit ip 10.0.0.0 255.0.0.0 any

access-list policy-nat-1 extended permit ip 172.16.0.0 255.240.0.0 any

global (outside) 1 100.1.1.1

nat (inside) 1 access-list policy-nat-1

static (inside,outside) 80.2.2.2 10.1.1.1 netmask 255.255.255.255

static (outside,inside) 10.2.2.0 10.20.20.0 netmask 255.255.255.0

access-group inside in interface inside

access-group outside in interface outside

route inside 172.16.0.0 255.240.0.0 90.1.1.5

route inside 10.0.0.0 255.0.0.0 90.1.1.5

route outside 0.0.0.0 0.0.0.0 80.1.1.5

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map CRY-MAP 10 match address proxy_acl

crypto map CRY-MAP 10 set peer 60.1.1.1

crypto map CRY-MAP 10 set transform-set ESP-3DES-SHA

crypto map CRY-MAP 10 set security-association lifetime seconds 28800

crypto map CRY-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

!

tunnel-group 60.1.1.1 type ipsec-l2l

tunnel-group 60.1.1.1 ipsec-attributes

pre-shared-key *

B-end PIX

access-list proxy-acl permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255

access-list no_nat permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255

nat (data) 0 access-list no_nat

crypto ipsec transform-set 3dessha1 esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address proxy-acl

crypto map vpn 10 set peer 80.1.1.1

crypto map vpn 10 set transform-set 3dessha1

crypto map vpn interface outside

isakmp key ******** address 80.1.1.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

ASA config:-

- There is no route for 10.20.10.32 - you have a route for 10/8 pointing to the inside. add another route:-

route outside 10.20.10.32 255.255.255.255 80.1.1.5

PIX Config:-

- you have the acl access-list proxy-acl permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255

BUT you are natting the host to address 80.2.2.2 - the IP's dont match.

Also make sure you have a route.

HTH>

Actions

This Discussion