Problems with VPN and NAT in ASA5520 8.3

Unanswered Question
Sep 28th, 2010

Hi there!,


I am trying to configure an ASA 5520 with 8.3 software and i have to configure a VPN IPSec site-to-site. Trying to capture the packets i see coming the ingress interface but not coming out. So the VPN is not coming up and NAT seems not to work.

This is the configuration i have (without IPs):



interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.122 255.255.255.248 

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address y.y.y.y 255.255.255.0 
!
!
object network NETWORK_OBJ_x.x.x.x
 subnet x.x.x.0 255.255.255.0
object network kpn1 
 host d.d.d.d
object network kpn2 
 host a.a.a.a
object network Peer_KPN 
 host p.p.p.p
object-group network KPN
 description Lan remota KPN
 network-object object kpn1
 network-object object kpn2
object-group service DM_INLINE_UDP_1 udp
 port-object eq isakmp
 port-object eq secureid-udp
access-list outside_1_cryptomap extended permit ip object NETWORK_OBJ_x.x.x.x object-group KPN 
access-list outside_access_in extended permit udp object Peer_KPN any object-group DM_INLINE_UDP_1 access-list inside_access_in extended permit ip any any

!

!


nat (inside,outside) source dynamic NETWORK_OBJ_x.x.x.x interface
nat (inside,outside) source static NETWORK_OBJ_x.x.x.x  destination static KPN
access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.121 1

!

!


crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer p.p.p.p 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

!

!


tunnel-group p.p.p.p  type ipsec-l2l
tunnel-group p.p.p.p ipsec-attributes
 pre-shared-key *****
!
!
I hope this will help.
Thanks!!!!
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Tue, 09/28/2010 - 19:07

The following static NAT should be changed:

From:

nat (inside,outside) source static NETWORK_OBJ_x.x.x.x  destination static KPN

To:
nat (inside,outside) source static NETWORK_OBJ_x.x.x.x NETWORK_OBJ_x.x.x.x destination static KPN KPN


Then a "clear xlate" after the changes above.


Assuming that you are trying to trigger traffic from x.x.x.0/24 network towards either d.d.d.d or a.a.a.a


Hope that helps.

Actions

This Discussion