08-01-2010 06:53 PM
Hi
I need to setup a IPSec VPN tunnel, the far end site ASA is behind Cisco 7200 series Router and is acting as a NAT device for Cisco ASA. The config is fine on both the ends but we are still not able to establish a VPN tunnel, i don't see anything in Debug on my side.
Is it possibe to have Site2Site VPN tunnel behind a NAT device.
The Peer IP which is provided to me is the Router (cisco 7200 Series) outside IP which is NAT to a private IP on the outside interface of ASA.
Thanks
Upneet
08-01-2010 08:46 PM
yes, it is possible. Use a access list to deny those traffic that need to go thru the NAT device.If the peer is IP is a.b.c.d make sure in your ip nat pool access-list of the NAT device, you deny it.
Eg.On the NAT device config:
ip nat inside source list 100
access-list 100 deny ip host asa_external_ip host a.b.c.d <- deny statement
access-list 100 remark ^ Permit vpn tunnel traffic without getting natted ^
access-list 100 permit ip any any
.
.
Hope this help.
08-01-2010 09:48 PM
take care of the following
peer ip both public
7200 should do a one to pne nat for asa outside ip (static)
crypto acls should match on both ends - so in ur case it will be private to private
configure nat traversal
nat exemtion for crypto traffic on both ends - but i dont think u r doing nat on asa as 7200 is anyway doing nat
make sure you have these ports opened on all 3 devices
udp 500
esp 50
udp 4500
on asa u can give sysopt connection permit-vpn
run packet-tracer on asa and see where it is getting dropped
08-02-2010 09:02 AM
Thanks for the quick help folks
Bit more description on the problem
Side A:
Router (Public IP) (A.A.A.A)
|
|
Firewall ASA (Private IP) (P.P.P.P)
|
|
Switch
|
|
Host
The Config on Router
ip nat inside source static P.P.P.P A.A.A.A
and ASA has the following
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer B.B.B.B
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
pre-shared-key *
access-list outside_cryptomap extended permit tcp object-group OUR_END_INTERNAL object-group CLIENT_END _INTERNAL
access-list inside_nat0_outbound extended permit ip object-group OUR_END_INTERNAL 172.16.197.0 255.255.255.0
Side B:
Firewall (Public IP) (B.B.B.B)
And on this firewall its Opposite to the above and already about 20 VPN tunnels are already up and running on this side
Thanks
Upneet
08-02-2010 09:13 AM
so you are not able to establish vpn tunnel right. Can you see if you get any debugs at all on any of the ASAs? try initiating from your ASA and see if you see some debugs atleast on where its failing.
deb cry isa sa 127 should do. term mon if you using a monitor session to show debugs.
08-02-2010 09:14 AM
try the following
crypto isakmp nat-traversal
also i see the nonat and crypto acl look different in asa, one has ip and the other has object group name. can you please check if both of them are the same
08-02-2010 06:18 PM
Hi Upneet,
I think your VPN end point should terminate at the router instead of the firewall. From your config statements of the ASA, it seems like you are terminating at firewall. It make more sense to have a terminating point on the external interface of the router rather than move it to an internal firewall.Use this link http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml as a guide to configuring an IOS router VPN tunnel.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: