cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
3
Helpful
13
Replies

no nat on vpn after vpn

mtrovato
Level 1
Level 1

I have a vpn site (my ASA) to site (Supplier) with a nat on outside interface and work well. Rear the vpn (my ASA) I have other vpn site (Branch A) to site (my ASA)  and also work well.

My problem is the traffic from my Branch A to Supplier is in clear haven't nat.

my ASA

object-group network BranchA
network-object 192.168.1.0 255.255.255.0
object-group network Supplier
network-object 172.22.0.0 255.255.0.0
object-group network allmyBranch
network-object 192.168.0.0 255.255.0.0

access-list inside extended permit ip object-group reteInside object-group BranchA
access-list inside extended permit ip object-group allmyBranch object-group Supplier
access-list nat0_acl extended permit ip object-group reteInside object-group BranchA
access-list VPN-BranchA extended permit ip object-group reteInside object-group BranchA
access-list VPN-Supplier extended permit ip outside interface object-group Supplier
access-list VPN-Supplier extended permit ip object-group allmyBranch object-group Supplier
access-list ToSupplier extended permit ip object-group allmyBranch object-group Supplier

global (outside) 1 interface
nat (inside) 0 access-list nat0_acl
nat (inside) 1 access-list ToSupplier    

do you have idea how to solve ? is it possible ?

Thanks

1 Accepted Solution

Accepted Solutions

I'm glad to hear that.

If the issue is resolved and you find it helpful, please rate the threat and mark it as answered :-)

Thank you.

Federico.

View solution in original post

13 Replies 13

Hi,

You're saying you have two tunnels on the ASA? One to the supplier and one to Branch A?

Are both tunnels terminating on the same interface of the ASA or on different interfaces?

You need communication between the Branch and the Supplier to be encrypted? And NATed?

Please explain.

Federico.

yes two tunnel on my ASA on the same outside interface , one to the supplier with nat and one to my branch. I need to communicate with the supplier from my branch passing throug my ASA.

Ok.

In order to communicate two IPsec tunnels terminating on the outside interface you need to enable the command:

same-security-traffic permit intra-interface

Also, you need to include the supplier's LAN on the interesting traffic for the Branch tunnel and vice versa.

If you need to NAT, you also need the NAT rules.

If you need assistance with this, please post the configuration for both tunnels.

Federico.

thanks to help me, but the vpn works well, it mean the traffic from my branch go to the supplier correctly, the problem is the nat and the global create on my asa works well for the vpn from my asa to the supplier not for the traffic received from branch to the supplier.

Do you have the traffic from the branch to the supplied included in the NAT rules correcty?

Federico.

my ASA is my headquarter.

the nat is only in my ASA not in the Branch router. In the Branch router I have only the settings to the vpn site (branch) to site (my asa) without nat.

my ASA

vpn site (branch) to site (my asa)

object-group network BranchA
network-object 192.168.1.0 255.255.255.0
access-list inside extended permit ip object-group reteInside object-group BranchA
access-list inside extended permit ip object-group allmyBranch object-group Supplier
access-list nat0_acl extended permit ip object-group reteInside object-group BranchA
access-list VPN-BranchA extended permit ip object-group reteInside object-group BranchA

nat (inside) 0 access-list nat0_acl

still in my ASA

vpn site (my asa) to site (supplier) where I have insert the nat

object-group network Supplier
network-object 172.22.0.0 255.255.0.0
object-group network allmyBranch (my subnet BranchA + my subnet in headquarter, inside my ASA)
network-object 192.168.0.0 255.255.0.0
access-list VPN-Supplier extended permit ip outside interface object-group Supplier
access-list VPN-Supplier extended permit ip object-group allmyBranch object-group Supplier
access-list ToSupplier extended permit ip object-group allmyBranch object-group Supplier

global (outside) 1 interface
nat (inside) 1 access-list ToSupplier   

in this nat not transit the traffic received from my BranchA destinated to the Supplier

Please confirm this:

For the tunnel between the ASA and the supplier, you're doing PAT to the outside IP.
Then encrypting the traffic from the outside IP to the supplier site.

Questions:

1. The problem is the traffic from the ASA to the supplier or only the traffic from the Branch to the supplier?
2. Do you need the traffic from the Branch to the supplier to be PATed as well?

Federico.

1 only from branch to supplier

2 yes

To be able to PAT the traffic from the Branch to the supplier, you need to include the Branch LAN in the NAT rule on the ASA.
I see you have done that:

object-group network allmyBranch --> This includes the Branch LAN
access-list ToSupplier extended permit ip object-group allmyBranch object-group Supplier
nat (inside) 1 access-list ToSupplier 

Then, encrypting the PAT traffic:


access-list VPN-Supplier extended permit ip outside interface object-group Supplier

If you're going to PAT all traffic, you don't need this line:
access-list VPN-Supplier extended permit ip object-group allmyBranch object-group Supplier

PAT on the ASA:


global (outside) 1 interface
nat (inside) 1 access-list ToSupplier

So the configuration seems fine, I have more questions:

1. Traffic from the ASA's subnet to the supplier's subnet.. is PATed and going through the tunnel fine?
2. Do you see translations on the ASA for the Branch LAN? sh xlate

If the traffic from the Branch should be PATed and then encrypted, let's isolate the problem...
1. Is the traffic from the Branch LAN being translated on the ASA?
2. If so, is the Branch LAN being encrypted? Do you see an IPsec SA for Branch LAN? sh cry ips sa

Federico.

1. Traffic from the ASA's subnet to the supplier's subnet.. is PATed and going through the tunnel fine?

yes the asa's subnet 192.168.10.x is patted
2. Do you see translations on the ASA for the Branch LAN? sh xlate

no

If the traffic from the Branch should be PATed and then encrypted, let's isolate the problem...
1. Is the traffic from the Branch LAN being translated on the ASA?

no
2. If so, is the Branch LAN being encrypted? Do you see an IPsec SA for Branch LAN? sh cry ips sa

yes and yes

Alright.

You're saying that there are no XLATEs for the Branch LAN on the ASA when going to the Supplier site.

We need to verify this configuration then...

Let's assume this scenario:

Branch LAN: 10.1.1.0/24

ASA's LAN: 10.2.2.0/24

Supplier's LAN: 10.3.3.0/24

The ASA currently has two tunnels (to the Branch and Supplier).

In order to PAT the traffic from the Branch to the supplier, the following configuration is needed on the ASA:

access-list NAT permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

nat (outside) 1 access-list NAT

global (outside) 1 interface

same-security-traffic permit intra-interface

The above NAT line should be nat (outside) because you want to NAT traffic from the Branch (which terminates on the outside interface).

Let me know..

Federico.

so ............. works !

I have added this line :

nat (outside) 1 access-list ToSupplier  

and works . On my asa the sh xlate show me the ip branch patted correclty.

Thank you very much

I'm glad to hear that.

If the issue is resolved and you find it helpful, please rate the threat and mark it as answered :-)

Thank you.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: