IP Sec Tunnel Issue

Answered Question
Jan 3rd, 2010

Hello Experts,

We have Cisco ASA 5505 (OS version 8.2.1) using for Production Site and working fine w/o any problem. One of the Services Server on which the private IP is configured 192.168.18.104 and natted with public IP address 1.1.1.10 configured on ASA Firewall. There are few ports are opened for incoming traffic on outside interface for Services Server which seems to have working fine.

Now we need to estlablish IP Sec VPN Tunnel with Vendor for the Services Server and for that phase-1 negotiation has been completed but there is something new configuration required in which we need to allow the interesting traffic based on public rather than private which basically we do while creating VPN Tunnels between two sites. The tunnel is created between two sites and its active. Our Outside Peer IP Address is 1.1.1.1 and vendor IP Address is 2.2.2.1 and they are using Netsreen Firewall. Basically for allowing the traffic we use the private subnet/IP address and send their traffic over the tunnel like 192.168.18.104(Private IP)------1.1.1.1(Outside Interface IP of ASA)-----------encryted Tunnel---------2.2.2.1(Netscreen Peer IP). Now the problem is Vendor is using public IP (1.1.1.10) in their configuration for our services server instead of 192.168.18.104. But according to me we can allow the local subnet/IP in interesting traffic over the tunnel.

Can anyone help me if we can allow the public IP in our configuration as they are using Public IP address for their Services Server (2.2.2.10). I dont know what configuration needs to be done so that both server to be communicated with each other. The scenario we want i.e. 1.1.1.10 (Services Server Public IP)------1.1.1.1----------------------encryted----------------------2.2.2.1------------------2.2.2.10 (Vendor Services Server).

Regards,

Vinay Gupta

I have this problem too.
0 votes
Correct Answer by Joe B Danford about 7 years 3 weeks ago

The match ACL will take effect after NAT is performed. So you can virtually use any match ACL as long as it matches what the peer is using and the correct NAT statement is in place. Are you switching over completely from the old method to using just the public IPs? If so I imagine you are using nat exemption. You will need to remove the correpsonding nat exemption statement.

If the Peer is encrypting all traffic from their public nat'd IP to your public nat'd IP you would need to have something like the following for the scenario you pointed out.

1.1.1.10 (Services Server Public IP)------1.1.1.1----------------------encryted----------------------2.2.2.1------------------2.2.2.10 (Vendor Services Server).

Exiting nat statement probably looks something like this?

static (inside,outside) 1.1.1.10 192.168.18.104


VPN config should be similar to this for the match ACL.

access-list acl_vpn_match permit ip host 1.1.1.10 host 2.2.2.10
...
crypto map vpn_map 10 set peer 2.2.2.1
crypto map vpn_map 10 match address acl_vpn_match

If you need the complete config let me know.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Joe B Danford Sun, 01/03/2010 - 11:42

The match ACL will take effect after NAT is performed. So you can virtually use any match ACL as long as it matches what the peer is using and the correct NAT statement is in place. Are you switching over completely from the old method to using just the public IPs? If so I imagine you are using nat exemption. You will need to remove the correpsonding nat exemption statement.

If the Peer is encrypting all traffic from their public nat'd IP to your public nat'd IP you would need to have something like the following for the scenario you pointed out.

1.1.1.10 (Services Server Public IP)------1.1.1.1----------------------encryted----------------------2.2.2.1------------------2.2.2.10 (Vendor Services Server).

Exiting nat statement probably looks something like this?

static (inside,outside) 1.1.1.10 192.168.18.104


VPN config should be similar to this for the match ACL.

access-list acl_vpn_match permit ip host 1.1.1.10 host 2.2.2.10
...
crypto map vpn_map 10 set peer 2.2.2.1
crypto map vpn_map 10 match address acl_vpn_match

If you need the complete config let me know.

ray_stone Sun, 01/03/2010 - 22:18

I have already done the same configuration provided by you but still its not working. Please suggest the other steps in order to rectify this issue ASAP.

Regards,

Vinay Gupta

Joe B Danford Mon, 01/04/2010 - 12:17

Vinay,

Can you provide a copy of the config (scrubbed)? Need to see this. Also would be good to have the following debugs when the connection is tried.

debug cry isa 128

debug cry ipsec 128

And

show cry isa sa

show cry ipsec sa

Thanks,

Joe

solpandor Wed, 01/06/2010 - 03:56

Vinay

I agree with Joe in that the NAT  will take effect after matching the ACL so in theory the snippet of config Joe provided should work.

have you checked with the vendor that the ACL's are exactly matching yours?  I know this normally affects phase 1 (when the tunnel isnt established but i have experienced it where it has affected phase 2 and not sending traffic through)

Please post your config and if you can then also that of your vendor.

I have a VPN set up similar to yours where all traffic to our supplier is sent using the public IP's through the VPN and its working fine.

HTH

To NAT a source IP then encrypt it into an IPSEC tunnel required Policy Based NAT

1) Define an acl to be used

2) Define the nat statement based on the ACL

3) Exempt the NATT'd address from the glabl NAT (you do not want to double NAT)

4) Apply the PBN to the "outside" interface

5) Define the source NAT address to the destination address ACL

6) Call the NAT acl in the crypto map

.The above is the only way to do it - if I understand the issue correctly.

Actions

This Discussion