no nat on vpn after vpn

Answered Question
May 31st, 2010
User Badges:

I have a vpn site (my ASA) to site (Supplier) with a nat on outside interface and work well. Rear the vpn (my ASA) I have other vpn site (Branch A) to site (my ASA)  and also work well.

My problem is the traffic from my Branch A to Supplier is in clear haven't nat.


my ASA


object-group network BranchA
network-object 192.168.1.0 255.255.255.0
object-group network Supplier
network-object 172.22.0.0 255.255.0.0
object-group network allmyBranch
network-object 192.168.0.0 255.255.0.0

access-list inside extended permit ip object-group reteInside object-group BranchA
access-list inside extended permit ip object-group allmyBranch object-group Supplier
access-list nat0_acl extended permit ip object-group reteInside object-group BranchA
access-list VPN-BranchA extended permit ip object-group reteInside object-group BranchA
access-list VPN-Supplier extended permit ip outside interface object-group Supplier
access-list VPN-Supplier extended permit ip object-group allmyBranch object-group Supplier
access-list ToSupplier extended permit ip object-group allmyBranch object-group Supplier

global (outside) 1 interface
nat (inside) 0 access-list nat0_acl
nat (inside) 1 access-list ToSupplier    


do you have idea how to solve ? is it possible ?


Thanks

Correct Answer by Federico Coto F... about 6 years 10 months ago

I'm glad to hear that.

If the issue is resolved and you find it helpful, please rate the threat and mark it as answered :-)


Thank you.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Federico Coto F... Mon, 05/31/2010 - 08:16
User Badges:
  • Green, 3000 points or more

Hi,


You're saying you have two tunnels on the ASA? One to the supplier and one to Branch A?

Are both tunnels terminating on the same interface of the ASA or on different interfaces?


You need communication between the Branch and the Supplier to be encrypted? And NATed?


Please explain.


Federico.

mtrovato Mon, 05/31/2010 - 08:26
User Badges:

yes two tunnel on my ASA on the same outside interface , one to the supplier with nat and one to my branch. I need to communicate with the supplier from my branch passing throug my ASA.

Federico Coto F... Mon, 05/31/2010 - 08:30
User Badges:
  • Green, 3000 points or more

Ok.

In order to communicate two IPsec tunnels terminating on the outside interface you need to enable the command:

same-security-traffic permit intra-interface


Also, you need to include the supplier's LAN on the interesting traffic for the Branch tunnel and vice versa.

If you need to NAT, you also need the NAT rules.


If you need assistance with this, please post the configuration for both tunnels.


Federico.

mtrovato Mon, 05/31/2010 - 08:46
User Badges:

thanks to help me, but the vpn works well, it mean the traffic from my branch go to the supplier correctly, the problem is the nat and the global create on my asa works well for the vpn from my asa to the supplier not for the traffic received from branch to the supplier.

Federico Coto F... Mon, 05/31/2010 - 08:51
User Badges:
  • Green, 3000 points or more

Do you have the traffic from the branch to the supplied included in the NAT rules correcty?


Federico.

mtrovato Mon, 05/31/2010 - 09:04
User Badges:

my ASA is my headquarter.


the nat is only in my ASA not in the Branch router. In the Branch router I have only the settings to the vpn site (branch) to site (my asa) without nat.



my ASA


vpn site (branch) to site (my asa)





object-group network BranchA
network-object 192.168.1.0 255.255.255.0
access-list inside extended permit ip object-group reteInside object-group BranchA
access-list inside extended permit ip object-group allmyBranch object-group Supplier
access-list nat0_acl extended permit ip object-group reteInside object-group BranchA
access-list VPN-BranchA extended permit ip object-group reteInside object-group BranchA

nat (inside) 0 access-list nat0_acl

still in my ASA


vpn site (my asa) to site (supplier) where I have insert the nat


object-group network Supplier
network-object 172.22.0.0 255.255.0.0
object-group network allmyBranch (my subnet BranchA + my subnet in headquarter, inside my ASA)
network-object 192.168.0.0 255.255.0.0
access-list VPN-Supplier extended permit ip outside interface object-group Supplier
access-list VPN-Supplier extended permit ip object-group allmyBranch object-group Supplier
access-list ToSupplier extended permit ip object-group allmyBranch object-group Supplier

global (outside) 1 interface
nat (inside) 1 access-list ToSupplier   


in this nat not transit the traffic received from my BranchA destinated to the Supplier

Federico Coto F... Mon, 05/31/2010 - 09:11
User Badges:
  • Green, 3000 points or more

Please confirm this:


For the tunnel between the ASA and the supplier, you're doing PAT to the outside IP.
Then encrypting the traffic from the outside IP to the supplier site.


Questions:

1. The problem is the traffic from the ASA to the supplier or only the traffic from the Branch to the supplier?
2. Do you need the traffic from the Branch to the supplier to be PATed as well?


Federico.

Federico Coto F... Mon, 05/31/2010 - 09:21
User Badges:
  • Green, 3000 points or more

To be able to PAT the traffic from the Branch to the supplier, you need to include the Branch LAN in the NAT rule on the ASA.
I see you have done that:


object-group network allmyBranch --> This includes the Branch LAN
access-list ToSupplier extended permit ip object-group allmyBranch object-group Supplier
nat (inside) 1 access-list ToSupplier 


Then, encrypting the PAT traffic:


access-list VPN-Supplier extended permit ip outside interface object-group Supplier

If you're going to PAT all traffic, you don't need this line:
access-list VPN-Supplier extended permit ip object-group allmyBranch object-group Supplier


PAT on the ASA:


global (outside) 1 interface
nat (inside) 1 access-list ToSupplier


So the configuration seems fine, I have more questions:


1. Traffic from the ASA's subnet to the supplier's subnet.. is PATed and going through the tunnel fine?
2. Do you see translations on the ASA for the Branch LAN? sh xlate

If the traffic from the Branch should be PATed and then encrypted, let's isolate the problem...
1. Is the traffic from the Branch LAN being translated on the ASA?
2. If so, is the Branch LAN being encrypted? Do you see an IPsec SA for Branch LAN? sh cry ips sa


Federico.

mtrovato Mon, 05/31/2010 - 09:39
User Badges:

1. Traffic from the ASA's subnet to the supplier's subnet.. is PATed and going through the tunnel fine?

yes the asa's subnet 192.168.10.x is patted
2. Do you see translations on the ASA for the Branch LAN? sh xlate

no


If the traffic from the Branch should be PATed and then encrypted, let's isolate the problem...
1. Is the traffic from the Branch LAN being translated on the ASA?

no
2. If so, is the Branch LAN being encrypted? Do you see an IPsec SA for Branch LAN? sh cry ips sa

yes and yes

Federico Coto F... Mon, 05/31/2010 - 09:48
User Badges:
  • Green, 3000 points or more

Alright.

You're saying that there are no XLATEs for the Branch LAN on the ASA when going to the Supplier site.

We need to verify this configuration then...


Let's assume this scenario:


Branch LAN: 10.1.1.0/24

ASA's LAN: 10.2.2.0/24

Supplier's LAN: 10.3.3.0/24


The ASA currently has two tunnels (to the Branch and Supplier).


In order to PAT the traffic from the Branch to the supplier, the following configuration is needed on the ASA:


access-list NAT permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

nat (outside) 1 access-list NAT

global (outside) 1 interface

same-security-traffic permit intra-interface


The above NAT line should be nat (outside) because you want to NAT traffic from the Branch (which terminates on the outside interface).


Let me know..


Federico.

mtrovato Mon, 05/31/2010 - 10:02
User Badges:

so ............. works !


I have added this line :

nat (outside) 1 access-list ToSupplier  


and works . On my asa the sh xlate show me the ip branch patted correclty.


Thank you very much

Correct Answer
Federico Coto F... Mon, 05/31/2010 - 10:04
User Badges:
  • Green, 3000 points or more

I'm glad to hear that.

If the issue is resolved and you find it helpful, please rate the threat and mark it as answered :-)


Thank you.


Federico.

Actions

This Discussion