Pix 515E to ASA 5510 migrate VPN with private addresses nat to public

Unanswered Question
Mar 15th, 2009

I am migrating a Pix 515E to a ASA 5510 and attempting to duplicate a VPN configuration which allows traffic from a private address on our side to a public address on the other side and then they Nat the traffic to their private address.

This 515E has many site to site vpn tunnels which are working after the migration but the two tunnels setup with a public address Nat to a private address are not working. Here is the config information from the pix for those two VPN tunnels. Any insight into why duplicating the tunnels isn't allowing communication on the 5510? When I do a show crypto isakmp sa the tunnels seem to be up but I can't seem to ping to the remote address from one of the devices with the one to one NAT on this side which I could do when we were on the 515E.

access-list ipsec permit ip host (local outside IP address) host (remote outside IP address)

access-list donat permit ip host 192.168.1.13 host (remote outside IP address)

access-list ipsec2 permit ip host (local outside Ip address) host (remote outside IP address)

access-list donat2 permit ip host 192.168.1.12 host (remote outside IP address)

static (inside,outside) (Local Outside IP address) access-list donat 0 0

static (inside,outside) (Local Outside IP address) access-list donat2 0 0

crypto ipsec transform-set 1stvpn esp-3des esp-md5-hmac

crypto ipsec transform-set 2ndvpn esp-3des esp-md5-hmac

crypto map toCovenant 80 ipsec-isakmp

crypto map toCovenant 80 match address ipsec

crypto map toCovenant 80 set peer (first remote vpn peer)

crypto map toCovenant 80 set transform-set 1stvpn

crypto map toCovenant 90 ipsec-isakmp

crypto map toCovenant 90 match address ipsec2

crypto map toCovenant 90 set peer (second remote vpn peer)

crypto map toCovenant 90 set transform-set 2ndvpn

isakmp key ******** address (first remote vpn peer) netmask 255.255.255.255

isakmp key ******** address (second remote vpn peer) netmask 255.255.255.255

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bschear Mon, 03/16/2009 - 06:37

Here is an example of the two VPN connections with Fake addresses. On this side if I pinged 210.210.210.1 from 192.168.1.13 it would bring the tunnel up and I would get replies. The 210.210.210.1 has a NAT on their side to the server I am communicating with. From the remote side they could ping 200.200.200.1 which has a NAT to 192.168.1.13 on my side. I hope this clarifies it a little with the fake IPs. As I mentioned the example is from the PIX and works but when I copy and paste the config for these tunnels to the new ASA all other VPN tunnels work expect these two with outside addresses and static one to one NAT.

access-list ipsec permit ip host 200.200.200.1 host 210.210.210.1

access-list donat permit ip host 192.168.1.13 host 210.210.210.1

access-list ipsec2 permit ip host 200.200.200.2 host 210.210.210.1

access-list donat2 permit ip host 192.168.1.12 host 210.210.210.1

static (inside,outside) 200.200.200.1 access-list donat 0 0

static (inside,outside) 200.200.200.2 access-list donat2 0 0

crypto ipsec transform-set 1stvpn esp-3des esp-md5-hmac

crypto ipsec transform-set 2ndvpn esp-3des esp-md5-hmac

crypto map toCovenant 80 ipsec-isakmp

crypto map toCovenant 80 match address ipsec

crypto map toCovenant 80 set peer 205.205.205.1

crypto map toCovenant 80 set transform-set 1stvpn

crypto map toCovenant 90 ipsec-isakmp

crypto map toCovenant 90 match address ipsec2

crypto map toCovenant 90 set peer 215.215.215.1

crypto map toCovenant 90 set transform-set 2ndvpn

isakmp key ******** address 205.205.205.1 netmask 255.255.255.255

isakmp key ******** address 215.215.215.1 netmask 255.255.255.255

Ok mate. It is quite clear now. If you just wanted to verify configuration then I can say that seems ok. You might need to run debug on ipsec and isakmp and see what is going on when traffic is originating. I would also like you to verify following:

1. If you had "isakmp identity address" enabled on your PIX, make sure that is enabled on ASA as well.

2. If you can, ask your peer to clear SA on their firewall for your IP.

3. I am not sure if you have fired "fixup protocol icmp" on your ASA. But this is just a wild thought as ICMP is not stateful. But then it is working with other tunnels. Though I would try to check with other protocols than ICMP and see what is happening in debug.

It would be great if you could share debug information here. But that would reveal your IPs which you do not want to do. So I would suggest you to go through debug once and see at which PHASE do you see the problem and then it would be earier to troubleshoot more.

bschear Mon, 03/16/2009 - 07:12

Here is an example of the two VPN connections with Fake addresses. On this side if I pinged 210.210.210.1 from 192.168.1.13 it would bring the tunnel up and I would get replies. The 210.210.210.1 has a NAT on their side to the server I am communicating with. From the remote side they could ping 200.200.200.1 which has a NAT to 192.168.1.13 on my side. I hope this clarifies it a little with the fake IPs. As I mentioned the example is from the PIX and works but when I copy and paste the config for these tunnels to the new ASA all other VPN tunnels work expect these two with outside addresses and static one to one NAT.

access-list ipsec permit ip host 200.200.200.1 host 210.210.210.1

access-list donat permit ip host 192.168.1.13 host 210.210.210.1

access-list ipsec2 permit ip host 200.200.200.2 host 210.210.210.1

access-list donat2 permit ip host 192.168.1.12 host 210.210.210.1

static (inside,outside) 200.200.200.1 access-list donat 0 0

static (inside,outside) 200.200.200.2 access-list donat2 0 0

crypto ipsec transform-set 1stvpn esp-3des esp-md5-hmac

crypto ipsec transform-set 2ndvpn esp-3des esp-md5-hmac

crypto map toCovenant 80 ipsec-isakmp

crypto map toCovenant 80 match address ipsec

crypto map toCovenant 80 set peer 205.205.205.1

crypto map toCovenant 80 set transform-set 1stvpn

crypto map toCovenant 90 ipsec-isakmp

crypto map toCovenant 90 match address ipsec2

crypto map toCovenant 90 set peer 215.215.215.1

crypto map toCovenant 90 set transform-set 2ndvpn

isakmp key ******** address 205.205.205.1 netmask 255.255.255.255

isakmp key ******** address 215.215.215.1 netmask 255.255.255.255

Actions

This Discussion