Site2site with NAT

Unanswered Question
Jul 2nd, 2013
User Badges:

ASA Version 8.4(4)1


I have a site to site VPN between these sites.

SiteA

192.168.100.0/24

SiteB

192.168.200.0/24


I’m trying to use NAT to connect on different IP’s from SiteB to SiteA

I would like to connect from SiteB to SiteA on IP 192.168.50.0/24 (instead of 192.168.100.0/24) but this don’t seem to work.


What should be the local/destination networks on my VPN?

192.168.50.0/24(NAT) or 192.168.100.0/24(REAL)


How should I use NAT on Site A?  I’m not using NAT on SiteB.




This is what I have so far, but from siteB (192.168.200.0/24) I cannot connect to SiteA on IP 192.168.50.77)


access-list outside_cryptomap_2 extended permit ip 192.168.50.0 255.255.255.0 192.168.200.0 255.255.255.0


nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp route-lookup



object network HP-Printer (192.168.100.77)

nat (inside,outside) static HP-Printer-NAT (192.168.50.77)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Tue, 07/02/2013 - 01:44
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Have you confirmed that the L2L VPN connection comes up when traffic is generated to the NAT IP address?


To me the NAT configuration seem fine but then again without seeing the whole NAT configuration we wont know if there is possibly some NAT configuration that might be overriding it currently.


For testing purposes you could try to use the "packet-tracer" command which would both confirm that the correct NAT rule is hit and tha the L2L VPN connections is fine.


Try issuing the following "packet-tracer" command TWICE and then copy/paste the second output here


packet-tracer input inside tcp 192.168.100.100 12345 192.168.200.200 3389


The above command is just meant to provide us with some troubleshooting information.


- Jouni

diahvs123 Tue, 07/02/2013 - 02:06
User Badges:

The tunnel seems to be online after i initiate traffic (192.168.200.50 > 192.168.50.77).


Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside



Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_in_acl in interface inside

access-list inside_in_acl extended permit ip any any

Additional Information:



Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:



Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network HP-Printer

nat (inside,outside) static HP-Printer-NAT

Additional Information:

Static translate 192.168.100.77/12345 to 192.168.50.77/12345



Phase: 5

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:



Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:



Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:



Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 74021, packet dispatched to next module



Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Jouni Forss Tue, 07/02/2013 - 04:33
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Actually I think I completely missed the NAT configuration in the original post for some reason


You have the same "object" twice in the NAT statement while it should have first the real source and then the mapped source


nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24  NETWORK_OBJ_192.168.50.0_24 destination static  NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp  route-lookup


This would seem to me to actually use the


NETWORK_OBJ_192.168.50.0_24


As the source "object". You should replace the first NETWORK_OBJ_192.168.50.0_24 with an "object" that contains the 192.168.100.0/24 network.


It might look something like this depending on your "object" names


nat (inside,outside) source static  NETWORK_OBJ_192.168.100.0_24  NETWORK_OBJ_192.168.50.0_24 destination  static  NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24  no-proxy-arp  route-lookup



What this will do is NAT the whole 192.168.100.0/24 network to 192.168.50.0/24


So 192.168.100.77 will be 192.168.50.77


If it still doesnt work then it would seem to me that something else than NAT must be causing the problems. You could check


show run all sysopt


This would enable us to see if you have a "sysopt" command that might make it so that an ACL rule is required to allow traffic incoming from the remote site.


Hope this helps


- Jouni

pankaj29in Tue, 07/02/2013 - 04:50
User Badges:

Hi Jo,


Why are you using static NAT as we use static for one to one mapping , here you have used whole subnet??

Please share roughly diagram of this to understand your requirement.


Although we use Twice NAT. As per your query you want to change source ip to 192.168.50.0 while going to 192.168.200.0 ??


Please find below example

nat  ( inside,outside) source dynamic IP_192.168.100.0(local IP) IP_192.168.50.0 (Global IP) destination dynamic IP_192.168.200.0 IP_192.168.200.0


so when 192.168.100.x  will access 192.168.200.x it will take 192.168.50.x.


Regards

Pankaj

diahvs123 Fri, 07/12/2013 - 02:53
User Badges:

Thanks for your replies. It's working, except for 1 thing, i can't reach the ASA (192.168.100.250) from ip 192.168.200.0/24.I can reach all other hosts in network 192.168.100.0/24 (by using 192.168.50.0/24).


Any ideas?





This is the configuration:


object network LAN50-NAT

subnet 192.168.50.0 255.255.255.0


object network LAN200

subnet 192.168.200.0 255.255.255.0


access-list outside_cryptomap_2 extended permit ip 192.168.50.0 255.255.255.0 192.168.200.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200

Jouni Forss Fri, 07/12/2013 - 03:05
User Badges:
  • Super Bronze, 10000 points or more

Hi,


If you only have one host of the whole 192.168.100.0/24 network that is not reachable by its NAT IP address through the L2L VPN then I would start looking for the problem on the actual host.


Since we are doing NAT between equal sized networks, the end of the IP addres should always match between the hosts. By accessing 192.168.50.250 you should be forwarded to 192.168.100.250.


Naturally when the L2L VPN connection is up you can try and see if the "packet-tracer" would tell anything


packet-tracer intput outside tcp 192.168.200.x 12345 192.168.50.250


And post the output here.


IF the IP address 192.168.100.250 is the interface IP address of the ASA then these connections are supposed to fail. The only connections you can take from behind another interface (outside) to another interface (inside) is management connections if you enable it with the command


management-access inside


Please remember to mark a reply as the correct answer if it answered your question.


- Jouni

diahvs123 Fri, 07/12/2013 - 03:46
User Badges:

Hi Jouni,


I already tried to add management-access inside, and added 192.168.200.0/24 to the management addresses but unfortunately it does not work.





packet-tracer input outside tcp 192.168.200.50 12345 192.168.100.250$



Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list



Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN50 destination static LAN200 LAN200

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.50.250/12345 to 192.168.100.250/12345



Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:



Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss Fri, 07/12/2013 - 04:24
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Your destination address is the real IP address and not the NAT IP address. You need to use the NAT IP address of 192.168.50.250 as the destination IP address as the connection will be coming towards that IP address.


Also you could try changing the current NAT rule a bit


no nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200


nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200 route-lookup


- Jouni

diahvs123 Fri, 07/12/2013 - 04:36
User Badges:

Sorry, wrong trace. This is the correct one:


When i try to change the NAT rule:   

ERROR: Option route-lookup is only allowed for static identity case




packet-tracer input outside tcp 192.168.200.50 12345 192.168.50.250$



Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list



Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN50 destination static LAN200 LAN200

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.50.250/12345 to 192.168.100.250/12345



Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:



Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss Fri, 07/12/2013 - 04:42
User Badges:
  • Super Bronze, 10000 points or more

Oh right,


Forgot that it cant be used here.


In the setup where this should work is when you are NOT doing NAT for your local network and the network which holds the ASAs "inside" interface IP address.


Then again Cisco also states that you should NOT configuration NAT for your interface IP address which this will do.


So it might even be that with this setup it might not be possible with this NAT configuration.



The thing I would test if possible would be to exempt the ASA "inside" interface IP address from the NAT completely. But this would require adding it to the L2L VPN ACL also and I dont know if this is possible. If the reason for this NAT was overlapping networks between sites then it naturally wouldnt be possible.


The configuration I was thinking was


object network ASA-INSIDE

host 192.168.100.250


object network REMOTE-LAN

subnet 192.168.200.0 255.255.255.0


nat (inside,outside) 1 source static ASA-INSIDE ASA-INSIDE destination static REMOTE-LAN REMOTE-LAN route-lookup


But as I said you would also have to add


access-list outside_cryptomap_2 extended permit ip host 192.168.100.250 192.168.200.0 255.255.255.0


And the remote end would have to add the counterpart for this ACL


- Jouni

Actions

This Discussion