Multiple networks in cryptomap not working.

Answered Question
Sep 7th, 2010
User Badges:

Hi.


I have 1 ASA 5505 at a site, and a 5510 on another site.. on the 5510 i have 4 subnets on diferent interfaces.


I have a vpn between the 2 ASA´s , and on the 5510 the local net is defined as all of the subnets i want to have access to,

on the 5505 i have the subnets in the remote net.


But when i want to acces the networks over the vpn.. it wont..

The connection is up, but under the ADSM monitor, vpn connections, and details. i can only see one of the nets from the crypto map.

and i can only ping on that net.


If i do a packet trace, on the net in the details. i can see it routes it over vpn, if i try one of the other nets. it dont route over vpn.




object-group network DM_INLINE_NETWORK_1
network-object 172.26.1.0 255.255.255.0
network-object 172.26.2.0 255.255.255.0
network-object 172.28.0.0 255.255.248.0
network-object 192.168.0.0 255.255.255.0
access-list whatsup_nat0_outbound extended permit ip 192.168.173.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.173.0 255.255.255.0 object-group DM_INLINE_NETWORK_1


Another question.

How do i allow pinging the interface addresse from the other interfaces.. ie over the interface.


And the last one..

Is it possible to do a Static nat from one interface f.eks Int1 192.168.100.10 -> Int2 ->10.10.10.10, and then Connect to Int1 192.168.100.10 from int3 20.20.20.20 ???


/Rene

Correct Answer by Nagaraja Thanthry about 6 years 10 months ago

Hello,


The reason it is not working is because of the NAT-0 rule you have

configured.


object-group network DM_INLINE_NETWORK_16

network-object 192.168.0.0 255.255.255.0

network-object nitron 255.255.255.0

network-object dmz_zone 255.255.255.0


access-list MPLS_nat0_outbound extended permit ip 172.26.0.0 255.255.252.0

object-group DM_INLINE_NETWORK_16


nat (MPLS) 0 access-list MPLS_nat0_outbound


From the above lines, you can see that 172.26.0.0/22 goes un-natted to

192.168.0.0/24 subnet (inside). NONAT rule takes precedence over static NAT.

So, you are not able to connect using 192.168.0.199 address. Please insert

the following lines into your configuration:


access-list MPLS_nat0_outbound line 1 deny ip host 172.26.2.5 any


access-list pnat1 permit ip host 172.26.2.5 any

access-list pnat2 permit ip host 172.26.2.5 any


no static (MPLS,Inside) 192.168.0.199 172.26.2.5 netmask 255.255.255.255


static (MPLS,Inside) 192.168.0.199 access-list pnat1

static (MPLS,Inside) 172.26.2.5 access-list pnat2


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Tue, 09/07/2010 - 05:49
User Badges:
  • Cisco Employee,

Hello,


For the first question, the problem seems to be with your NAT-0

configuration.


access-list whatsup_nat0_outbound extended permit ip 192.168.173.0

255.255.255.0 192.168.0.0 255.255.255.0


In order for you to be able to communicate with all the networks behind the

remote ASA, you need to enable NAT-0 for all remote subnets.


access-list whatsup_nat0_outbound extended permit ip 192.168.173.0

255.255.255.0 object-group DM_INLINE_NETWORK_1


For the second question, you can ping from the remote networks (via VPN) to

one interface of the local firewall (typically inside interface) by using

the following command:


management-access "interface name"


ex:


management-access inside


As far as the question about static NAT is concerned, if I understand you

correctly, you are looking to statically NAT a host on INT1 to another IP

when going to INT2. But you would like to access the same host with its

original IP from INT3. That is absolutely possible. But, you need to make

sure that you are configuring an identity NAT rule between INT1 and INT3.


static (int1,int2) 10.10.10.10 192.168.100.10 netmask 255.255.255.255

static (int1,int3) 192.168.100.10 192.168.100.10 netmask 255.255.255.255


Hope this helps.


Regards,


NT

ReneRasmussen Tue, 09/07/2010 - 05:59
User Badges:

Hi Nagaraja.


Thanks.

Then "access-list whatsup_nat0_outbound extended permit ip 192.168.173.0 255.255.255.0 object-group DM_INLINE_NETWORK_1"

Worked perfect.

So if i understand.. the nat0 outbound list is decideing what not to nat thru the "normal" global nat to outside.. and then it goes thru vpn.



As for the static nat.. what i have today is a asa with 3 interfaces.. i have added a 4, an mpls net.. i want to move one server fron the INT1 to this Mpls net.. and not have any clients notice that i have moved it. so im doing a static nat from the original ip to the new on the mpls net.


only problem is that when trying to connect to this static nat addresse, i  get no connection.


i want all clients from all interfaces, to still connect to the old ip (which im static nattting to the new ip)


/Rene

Nagaraja Thanthry Tue, 09/07/2010 - 06:04
User Badges:
  • Cisco Employee,

Hello,


Can you please post your configurations (NAT) here?


Regards,


NT

ReneRasmussen Tue, 09/07/2010 - 06:17
User Badges:

object-group network DM_INLINE_NETWORK_16
network-object 192.168.0.0 255.255.255.0
network-object nitron 255.255.255.0
network-object dmz_zone 255.255.255.0


access-list MPLS_nat0_outbound extended permit ip 172.26.0.0 255.255.252.0 object-group DM_INLINE_NETWORK_16


nat (MPLS) 0 access-list MPLS_nat0_outbound
nat (MPLS) 1 172.26.0.0 255.255.252.0

nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.0.0 255.255.255.0
nat (dmzzone) 0 access-list dmzzone_nat0_outbound
nat (dmzzone) 0 dmz_zone 255.255.255.0
nat (vms) 0 access-list vms_nat0_outbound
nat (MPLS) 0 access-list MPLS_nat0_outbound
nat (MPLS) 1 172.26.0.0 255.255.252.0
nat (pak) 0 access-list pak_nat0_outbound

static (MPLS,Inside) 192.168.0.199 172.26.2.5 netmask 255.255.255.255



i want the 192.168.0.199 to be accesible from all nets.. (even tho i is nattet to 172.26.2.5)

and i would also like to be able to connect to 172.26.2.5 (not nattet) so i would both use routet and nattet. So transition to new net can be made over time.


/Rene

Correct Answer
Nagaraja Thanthry Tue, 09/07/2010 - 06:27
User Badges:
  • Cisco Employee,

Hello,


The reason it is not working is because of the NAT-0 rule you have

configured.


object-group network DM_INLINE_NETWORK_16

network-object 192.168.0.0 255.255.255.0

network-object nitron 255.255.255.0

network-object dmz_zone 255.255.255.0


access-list MPLS_nat0_outbound extended permit ip 172.26.0.0 255.255.252.0

object-group DM_INLINE_NETWORK_16


nat (MPLS) 0 access-list MPLS_nat0_outbound


From the above lines, you can see that 172.26.0.0/22 goes un-natted to

192.168.0.0/24 subnet (inside). NONAT rule takes precedence over static NAT.

So, you are not able to connect using 192.168.0.199 address. Please insert

the following lines into your configuration:


access-list MPLS_nat0_outbound line 1 deny ip host 172.26.2.5 any


access-list pnat1 permit ip host 172.26.2.5 any

access-list pnat2 permit ip host 172.26.2.5 any


no static (MPLS,Inside) 192.168.0.199 172.26.2.5 netmask 255.255.255.255


static (MPLS,Inside) 192.168.0.199 access-list pnat1

static (MPLS,Inside) 172.26.2.5 access-list pnat2


Hope this helps.


Regards,


NT

ReneRasmussen Tue, 09/07/2010 - 06:43
User Badges:

So for all ips i want nattet (when there is a 0 nat)

i do a deny, and then policy nat

for x to y

and for x to x.


Great..


Many Thanks for the great help.

Actions

This Discussion