VPN with crazy NAT

Unanswered Question
Nov 16th, 2009

I have the following information to create a tunnel....

Our endpoint is: 66.179.80.108

Our network is: 192.168.50.0 (255.255.255.0)

will need to make ACL from 172.38.14.8 to hosts192.168.50.83, 192.168.50.86, 192.168.50.50, and 192.168.50.85

clinic will need to NAT interesting traffic to 172.38.14.0 255.255.255.0

Phase 1

Authentication: Pre-Shared

Encryption: 3DES

Hash: SHA

DH: 1

Lifetime: 86400 sec

Pre-shared Key: XXXXXXXXXXX

Phase2

ESP encryption 3DES

ESP authentication

Lifetime 28800

I found a script for this specific tunnel. It complains about syntax in a couple spaces:

! add these lines to the access list you use for traffic coming

! in to your public interface. change the access list name of

! "outside_in" to whatever you use

access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194

access-group outside_in in interface outside

! this says "do not NAT between our networks"

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.1.0 255.255.255.0

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.83

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.50

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.86

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.85

crypto isakmp identify address

crypto isakmp policy 1 authentication pre-share

crypto isakmp policy 1 encryption 3des

crypto isakmp policy 1 hash sha

crypto isakmp policy 1 group 1

crypto isakmp policy 1 lifetime 86400

crypto ipsec transform-set ASA5505 esp-des esp-sha-hmac

crypto ipsec df-bit clear-df outside

crypto map PIX 10 match address PIXMAP

crypto map PIX 10 set peer 66.179.80.108

crypto map PIX 10 set transform-set ASA5505

crypto map PIX 10 set security-association lifetime seconds 28800

crypto map PIX interface outside

pre-shared-key XXXXXXXXXXXX

tunnel-group 66.179.80.108 type ipsec-l2l

tunnel-group 66.179.80.108 ipsec-attributes

Phase 1 completes (i think) and phase 2 errors as so...

1 Nov 16 2009 07:26:35 713900 Group = 66.179.80.108, IP = 66.179.80.108, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

3 Nov 16 2009 07:26:35 713902 Group = 66.179.80.108, IP = 66.179.80.108, Removing peer from correlator table failed, no match!

Thanks in advance for the omnipotent wisdom of the Cisco Gurus!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 11/16/2009 - 12:32

Matt

If this is a pix then you do not need the following lines in the acl on the outside interface -

access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194

Can you also clarify exactly what addressing you want to use. You have a crypto map acl that says -

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.83

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.50

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.86

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.85

and yet in your opening sentences you say -

"will need to make ACL from 172.38.14.8 to hosts192.168.50.83, 192.168.50.86, 192.168.50.50, and 192.168.50.85"

so where does 172.38.14.8 come into it ?

Jon

mattbilbrey Mon, 11/16/2009 - 12:36

Thanks for the response!

This device is an ASA 5505

The tunnel is a host to host tunnel that will only be allowed to communicate between 192.168.1.8 (my side) and 192.168.50.83,85,86,and 50 (remote side)

172.38.14.8 is the address that the remote endpoint is expecting to see all traffic coming from.

According to the 3rd party 172.38.14.8 is the only address they will accept traffic from.

Thanks!

Jon Marshall Mon, 11/16/2009 - 12:50

Matt

Right, then you don't need those lines on the outside acl.

Then, you are doing a NAT exemption for the VPN but the 3rd party wants you to NAT so you need to update your config -

1) Change -

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.83

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.50

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.86

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.85

to

access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.83

access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.50

access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.86

access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.85

2) You then need to NAT your source address(es) to 172.38.14.8 if they are going to 192.168.50.x addressing. You only have one source address in your example ie. 192.168.1.8 so we'll use that

First you need to remove these 2 lines because you actually do want to NAT -

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.1.0 255.255.255.0

then we need an acl to define which traffic to NAT

access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.83

access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.50

access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.86

access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.85

static (inside,outside) 172.38.14.8 access-list PNAT

Can you make the above changes and then retest.

Jon

mattbilbrey Mon, 11/16/2009 - 13:00

Result of the command: "! add these lines to the access list you use for traffic coming"

The command has been sent to the device

Result of the command: "! in to your public interface. change the access list name of"

The command has been sent to the device

Result of the command: "! "outside_in" to whatever you use"

The command has been sent to the device

Result of the command: "access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194"

WARNING: found duplicate element

Result of the command: "access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194"

WARNING: found duplicate element

Result of the command: "access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194"

WARNING: found duplicate element

Result of the command: "access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194"

WARNING: found duplicate element

Result of the command: "access-group outside_in in interface outside"

The command has been sent to the device

Result of the command: "! this says "do not NAT between our networks""

The command has been sent to the device

Result of the command: "access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0"

WARNING: found duplicate element

Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.83"

The command has been sent to the device

Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.50"

The command has been sent to the device

Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.86"

The command has been sent to the device

Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.85"

The command has been sent to the device

Result of the command: "static (inside,outside) 172.38.14.8 access-list PNAT"

ERROR: mapped-address conflict with existing static

inside:192.168.1.8 to outside:172.38.14.8 netmask 255.255.255.255

Usage: [no] static [(real_ifc, mapped_ifc)]

{|interface}

{ [netmask ]} | {access-list }

[dns]

]]

[udp ]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{|interface}

{ [netmask ]} |

{access-list }

[dns]

]]

[udp ]

show running-config [all] static []

clear configure static

Result of the command: "access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.83"

The command has been sent to the device

Result of the command: "access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.50"

The command has been sent to the device

Result of the command: "access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.86"

The command has been sent to the device

Result of the command: "access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.85"

The command has been sent to the device

Result of the command: "crypto isakmp identify address"

crypto isakmp identify address

^

mattbilbrey Mon, 11/16/2009 - 13:00

ERROR: % Invalid input detected at '^' marker.

Result of the command: "crypto isakmp policy 1 authentication pre-share"

The command has been sent to the device

Result of the command: "crypto isakmp policy 1 encryption 3des"

The command has been sent to the device

Result of the command: "crypto isakmp policy 1 hash sha"

The command has been sent to the device

Result of the command: "crypto isakmp policy 1 group 1"

The command has been sent to the device

Result of the command: "crypto isakmp policy 1 lifetime 86400"

The command has been sent to the device

Result of the command: "crypto ipsec transform-set ASA5505 esp-des esp-sha-hmac"

The command has been sent to the device

Result of the command: "crypto ipsec df-bit clear-df outside"

The command has been sent to the device

Result of the command: "crypto map PIX 10 match address PIXMAP"

The command has been sent to the device

Result of the command: "crypto map PIX 10 set peer 66.179.80.108"

The command has been sent to the device

Result of the command: "crypto map PIX 10 set transform-set ASA5505"

The command has been sent to the device

Result of the command: "crypto map PIX 10 set security-association lifetime seconds 28800"

The command has been sent to the device

Result of the command: "crypto map PIX interface outside"

The command has been sent to the device

Result of the command: "pre-shared-key CrmEF8c3BZPUSYNsq8q7"

pre-shared-key CrmEF8c3BZPUSYNsq8q7

^

ERROR: % Invalid input detected at '^' marker.

Result of the command: "tunnel-group 66.179.80.108 type ipsec-l2l"

tunnel-group 66.179.80.108 type ipsec-l2l

^

ERROR: % Invalid input detected at '^' marker.

Result of the command: "tunnel-group 66.179.80.108 ipsec-attributes"

The command has been sent to the device

I still have the same errors with phase 2.... Thanks again for the hand holding!

Jon Marshall Mon, 11/16/2009 - 13:04

Matt

Are you using ASDM or are you using the CLI ?.

The config changes i sent would require you to remove some bits.

Can you post the current config you are using.

Jon

mattbilbrey Mon, 11/16/2009 - 13:12

I am using the command line interface from the ASDM. Below is the result of show startup-config

: Saved

: Written by enable_15 at 09:32:05.797 UTC Mon Nov 16 2009

!

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password BARXKS2hn1aBh6hZ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 68.16.141.194 PublicIP

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group att

ip address PublicIP 255.255.255.255 pppoe setroute

!

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group service RDP tcp

port-object eq 3389

object-group network remote-vpn-hosts

network-object host 192.168.50.50

network-object host 192.168.50.83

network-object host 192.168.50.86

access-list outside_access_inside extended permit ip any any

access-list outside_access_inside extended permit tcp any host PublicIP eq 3389

access-list Sayani_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.38.14.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.38.14.0 255.255.255.0

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.83

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.50

access-list PIXMAP extended permit ip host 192.168.1.8 host 192.168.50.86

access-list outside_in extended permit esp host 66.179.80.108 host PublicIP

access-list outside_in extended permit ah host 66.179.80.108 host PublicIP

access-list outside_in extended permit ip host 66.179.80.108 host PublicIP

access-list outside_in extended permit gre host 66.179.80.108 host PublicIP

access-list cryptomap_acl extended permit ip host 172.38.14.8 object-group remote-vpn-hosts

access-list static-vpn1 extended permit ip host 192.168.1.8 object-group remote-vpn-hosts

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Sayani_Pool 192.168.1.220-192.168.1.225 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 10 192.168.1.8

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.8 3389 netmask 255.255.255.255

static (inside,outside) 172.38.14.8 access-list static-vpn1

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

mattbilbrey Mon, 11/16/2009 - 13:12

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ASA5505 esp-3des esp-sha-hmac

crypto ipsec df-bit clear-df outside

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map PIX 10 match address PIXMAP

crypto map PIX 10 set pfs group1

crypto map PIX 10 set peer 66.179.80.108

crypto map PIX 10 set transform-set ESP-3DES-SHA

crypto map PIX interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp nat-traversal 20

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

vpdn group att request dialout pppoe

vpdn group att localname [email protected]

vpdn group att ppp authentication pap

vpdn username [email protected] password jkk843 store-local

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.254 inside

!

group-policy Sayani internal

group-policy Sayani attributes

dns-server value 192.168.1.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Sayani_splitTunnelAcl

default-domain value DSIM.local

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs enable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

username sayani password rAVpdpP7rbTdd3qu encrypted privilege 15

username sayani attributes

vpn-group-policy Sayani

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group Sayani type ipsec-ra

tunnel-group Sayani general-attributes

address-pool Sayani_Pool

default-group-policy Sayani

mattbilbrey Mon, 11/16/2009 - 13:12

tunnel-group Sayani ipsec-attributes

pre-shared-key *

tunnel-group 66.179.80.108 type ipsec-l2l

tunnel-group 66.179.80.108 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e47508892c1737bc0732ecd1807c72ab

Jon Marshall Mon, 11/16/2009 - 13:19

Matt

Think your getting the PNAT message because you have this -

static (inside,outside) tcp interface 3389 192.168.1.8 3389 netmask 255.255.255.255

so you are already natting 192.168.1.8 to the outside interface address.

As for the rest i'm not that good with ADSM, i just use the CLI. So you need to remove and then replace ie.

no access-list PIXMAP

then

access-list PIXMAP permit ip 172.38.14.8 .... etc.

Jon

Jon Marshall Mon, 11/16/2009 - 12:54

Matt

Apologies, quick update. I said remove -

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.1.0 255.255.255.0

don't do that :-)

You need to remove these 2 lines -

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 0 access-list NONAT

Jon

mattbilbrey Mon, 11/16/2009 - 13:27

Result of the command: "! add these lines to the access list you use for traffic coming"

The command has been sent to the device

Result of the command: "! in to your public interface. change the access list name of"

The command has been sent to the device

Result of the command: "! "outside_in" to whatever you use"

The command has been sent to the device

Result of the command: "access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194"

WARNING: found duplicate element

Result of the command: "access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194"

WARNING: found duplicate element

Result of the command: "access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194"

WARNING: found duplicate element

Result of the command: "access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194"

WARNING: found duplicate element

Result of the command: "access-group outside_in in interface outside"

The command has been sent to the device

Result of the command: "! this says "do not NAT between our networks""

The command has been sent to the device

Result of the command: "nat (inside) 1 192.168.1.0 255.255.255.0"

Duplicate NAT entry

Result of the command: "access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.83"

WARNING: found duplicate element

On Mon, Nov 16, 2009 at 4:24 PM, Matt Bilbrey <[email protected]> wrote:

! add these lines to the access list you use for traffic coming

! in to your public interface. change the access list name of

! "outside_in" to whatever you use

access-list outside_in extended permit esp host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit ah host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit ip host 66.179.80.108 host 68.16.141.194

access-list outside_in extended permit gre host 66.179.80.108 host 68.16.141.194

access-group outside_in in interface outside

! this says "do not NAT between our networks"

nat (inside) 1 192.168.1.0 255.255.255.0

access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.83

access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.50

access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.86

access-list PNAT extended permit ip host 192.168.1.8 host 192.168.50.85

static (inside,outside) 172.38.14.8 access-list PNAT

access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.83

access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.50

access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.86

access-list PIXMAP extended permit ip host 172.38.14.8 host 192.168.50.85

crypto isakmp identify address

crypto isakmp policy 1 authentication pre-share

crypto isakmp policy 1 encryption 3des

crypto isakmp policy 1 hash sha

crypto isakmp policy 1 group 1

crypto isakmp policy 1 lifetime 86400

crypto ipsec transform-set ASA5505 esp-des esp-sha-hmac

crypto ipsec df-bit clear-df outside

crypto map PIX 10 match address PIXMAP

crypto map PIX 10 set peer 66.179.80.108

crypto map PIX 10 set transform-set ASA5505

crypto map PIX 10 set security-association lifetime seconds 28800

crypto map PIX interface outside

pre-shared-key CrmEF8c3BZPUSYNsq8q7

tunnel-group 66.179.80.108 type ipsec-l2l

tunnel-group 66.179.80.108 ipsec-attributes

I am still getting the same "no spi to identify phase 2 sa" error

Thanks!

Actions

This Discussion