p2p with nating howto

Unanswered Question
Sep 10th, 2010
User Badges:

I am trying to set up a p2p connection to a site where they want me to  nat our ips to a different scheme.


Here is the relevant config


access-list INTERNETHUB2_cryptomap_60 extended permit ip 10.99.48.0 255.255.255.0 host 32.90.100.7
access-list policy_nat extended permit ip 172.30.5.0 255.255.255.0 host 32.90.100.7
static (VLAN1,INTERNETHUB2) 10.99.48.0  access-list policy_nat
crypto map INTERNETHUB2_map 60 match address INTERNETHUB2_cryptomap_60
crypto map INTERNETHUB2_map 60 set peer 67.208.150.94 63.240.239.45
crypto map INTERNETHUB2_map 60 set transform-set ESP-3DES-SHA
tunnel-group 67.208.150.94 type ipsec-l2l
tunnel-group 67.208.150.94 ipsec-attributes
pre-shared-key *
tunnel-group 63.240.239.45 type ipsec-l2l
tunnel-group 63.240.239.45 ipsec-attributes
pre-shared-key *
needless to say this is not working, When I try to ping 32.90.100.7 from a machine on the 172.30.5 subnet the ASA device receives it but does not even try to bring up the tunnel. What have I done wrong?
Joseph
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
demory1210 Fri, 09/10/2010 - 11:41
User Badges:

I have some made the following changes to this config


access-list nat_for_ivans extended permit ip 172.30.5.0 255.255.255.0 host 32.90.100.7



global (INTERNETHUB2) 1 10.99.48.1-10.99.48.254


nat (VLAN1) 1 access-list nat_for_ivans


needless to say

the static command is gone.


also

sho xlate

Global 10.99.48.1 Local 172.30.5.1


which means the nat is working I hope but still no attempt to bring up the p2p

manish arora Fri, 09/10/2010 - 11:58
User Badges:
  • Silver, 250 points or more

Hi,

This configuration seems perfect to me , can you post "sh nat" out as well. Also, make sure the remote end has the configuration up with mirror ACL. no use to doing debugging if the other end doesnot have crypto for you in place.


Thanks

Manish

demory1210 Fri, 09/10/2010 - 12:08
User Badges:

I have no control over the other end but they claim to have it set up. Wouldn't I see attempts at isakmp coming up in the case they weren't configed? Also the section for 172.30.5.0 natting shows no translations. I have a machine with the address 172.30.5.1 pinging the 32.90.100.7 address and I can see it coming into the ASA device.



WE also have the following other nat policies.



access-list VLAN1_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 209.211.140.0 255.255.255.0

access-list VLAN1_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 192.168.90.0 255.255.255.0

access-list VLAN1_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 host 192.168.30.29

access-list VLAN1_nat0_outbound extended permit ip any host 172.30.2.250


access-list VLAN1_nat0_inbound extended permit ip 172.30.0.0 255.255.0.0 209.211.140.0 255.255.255.0

access-list VLAN1_nat0_inbound extended permit ip 172.30.0.0 255.255.0.0 192.168.90.0 255.255.255.0


nat (VLAN1) 0 access-list VLAN1_nat0_outbound

nat (VLAN1) 0 access-list VLAN1_nat0_inbound outside


Could these be catching it first?

thanks


NAT policies on Interface VLAN1:

  match ip VLAN1 172.30.0.0 255.255.0.0 INTERNETHUB2 209.211.140.0 255.255.255.0

    NAT exempt

    translate_hits = 182, untranslate_hits = 683870

  match ip VLAN1 172.30.0.0 255.255.0.0 INTERNETHUB2 192.168.90.0 255.255.255.0

    NAT exempt

    translate_hits = 895165, untranslate_hits = 3409685

  match ip VLAN1 172.30.0.0 255.255.0.0 INTERNETHUB2 host 192.168.30.29

    NAT exempt

    translate_hits = 2209, untranslate_hits = 1406

  match ip VLAN1 any INTERNETHUB2 host 172.30.2.250

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 DMZ3 209.211.140.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 DMZ3 192.168.90.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 DMZ3 host 192.168.30.29

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 any DMZ3 host 172.30.2.250

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 209.211.140.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 192.168.90.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 host 192.168.30.29

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 any VLAN1 host 172.30.2.250

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 VLAN200 209.211.140.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 VLAN200 192.168.90.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 VLAN200 host 192.168.30.29

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 any VLAN200 host 172.30.2.250

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 209.211.140.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 VLAN1 192.168.90.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 management 209.211.140.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.0.0 255.255.0.0 management 192.168.90.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 host 172.30.2.132 INTERNETHUB2 any

    static translation to 74.223.63.186

    translate_hits = 112675, untranslate_hits = 389452

  match ip VLAN1 host 172.30.2.133 INTERNETHUB2 any

    static translation to 74.223.63.187

    translate_hits = 2529, untranslate_hits = 786561

  match ip VLAN1 host 172.30.2.134 INTERNETHUB2 any

    static translation to 74.223.63.188

    translate_hits = 2360, untranslate_hits = 3511557

  match ip VLAN1 host 172.30.2.135 INTERNETHUB2 any

    static translation to 74.223.63.189

    translate_hits = 520, untranslate_hits = 182516

  match ip VLAN1 host 172.30.1.58 DMZ3 any

    static translation to 172.30.1.58

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 host 172.30.2.137 INTERNETHUB2 any

    static translation to 74.223.63.180

    translate_hits = 667, untranslate_hits = 245798

  match ip VLAN1 host 172.30.2.183 INTERNETHUB2 any

    static translation to 74.223.63.185

    translate_hits = 11, untranslate_hits = 9892

  match ip VLAN1 172.30.5.0 255.255.255.0 INTERNETHUB2 host 32.90.100.7

    dynamic translation to pool 1 (10.99.48.1 - 10.99.48.254)

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.5.0 255.255.255.0 DMZ3 host 32.90.100.7

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.5.0 255.255.255.0 VLAN1 host 32.90.100.7

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip VLAN1 172.30.5.0 255.255.255.0 VLAN200 host 32.90.100.7

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0


NAT policies on Interface management:

  match ip management any INTERNETHUB2 any

    identity NAT translation, pool 0

    translate_hits = 0, untranslate_hits = 0

  match ip management any DMZ3 any

    identity NAT translation, pool 0

    translate_hits = 0, untranslate_hits = 0

  match ip management any VLAN1 any

    identity NAT translation, pool 0

    translate_hits = 0, untranslate_hits = 0

  match ip management any VLAN200 any

    identity NAT translation, pool 0

    translate_hits = 0, untranslate_hits = 0

  match ip management any management any

    identity NAT translation, pool 0

    translate_hits = 0, untranslate_hits = 0

manish arora Fri, 09/10/2010 - 16:16
User Badges:
  • Silver, 250 points or more

I dont see any hits for incoming nat traslation for that policy.

you should capture packets on the interface vlan1 ..to see even if your router is sending traffic to the asa , also make your that router is not natting your internal vlan1 ( 172.30.x.x ) to something else.


so , on asa use this :-


access-list xyz ext per ip 172.30.x.x 255.255.255.0 30.90.x.x any


capture capin access-list xyz int vlan1



sh capture capin



if you do not see any thing in this capture that means the router is the point of issue.



hope it helps

manish

Actions

This Discussion