cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1172
Views
0
Helpful
11
Replies

Site2site with NAT

diahvs123
Level 1
Level 1

ASA Version 8.4(4)1

I have a site to site VPN between these sites.

SiteA

192.168.100.0/24

SiteB

192.168.200.0/24

I’m trying to use NAT to connect on different IP’s from SiteB to SiteA

I would like to connect from SiteB to SiteA on IP 192.168.50.0/24 (instead of 192.168.100.0/24) but this don’t seem to work.

What should be the local/destination networks on my VPN?

192.168.50.0/24(NAT) or 192.168.100.0/24(REAL)

How should I use NAT on Site A?  I’m not using NAT on SiteB.

This is what I have so far, but from siteB (192.168.200.0/24) I cannot connect to SiteA on IP 192.168.50.77)

access-list outside_cryptomap_2 extended permit ip 192.168.50.0 255.255.255.0 192.168.200.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp route-lookup

object network HP-Printer (192.168.100.77)

nat (inside,outside) static HP-Printer-NAT (192.168.50.77)

11 Replies 11

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Have you confirmed that the L2L VPN connection comes up when traffic is generated to the NAT IP address?

To me the NAT configuration seem fine but then again without seeing the whole NAT configuration we wont know if there is possibly some NAT configuration that might be overriding it currently.

For testing purposes you could try to use the "packet-tracer" command which would both confirm that the correct NAT rule is hit and tha the L2L VPN connections is fine.

Try issuing the following "packet-tracer" command TWICE and then copy/paste the second output here

packet-tracer input inside tcp 192.168.100.100 12345 192.168.200.200 3389

The above command is just meant to provide us with some troubleshooting information.

- Jouni

The tunnel seems to be online after i initiate traffic (192.168.200.50 > 192.168.50.77).

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_in_acl in interface inside

access-list inside_in_acl extended permit ip any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network HP-Printer

nat (inside,outside) static HP-Printer-NAT

Additional Information:

Static translate 192.168.100.77/12345 to 192.168.50.77/12345

Phase: 5

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 74021, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Hi,

Actually I think I completely missed the NAT configuration in the original post for some reason

You have the same "object" twice in the NAT statement while it should have first the real source and then the mapped source

nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24  NETWORK_OBJ_192.168.50.0_24 destination static  NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp  route-lookup

This would seem to me to actually use the

NETWORK_OBJ_192.168.50.0_24

As the source "object". You should replace the first NETWORK_OBJ_192.168.50.0_24 with an "object" that contains the 192.168.100.0/24 network.

It might look something like this depending on your "object" names

nat (inside,outside) source static  NETWORK_OBJ_192.168.100.0_24  NETWORK_OBJ_192.168.50.0_24 destination  static  NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24  no-proxy-arp  route-lookup

What this will do is NAT the whole 192.168.100.0/24 network to 192.168.50.0/24

So 192.168.100.77 will be 192.168.50.77

If it still doesnt work then it would seem to me that something else than NAT must be causing the problems. You could check

show run all sysopt

This would enable us to see if you have a "sysopt" command that might make it so that an ACL rule is required to allow traffic incoming from the remote site.

Hope this helps

- Jouni

Hi Jo,

Why are you using static NAT as we use static for one to one mapping , here you have used whole subnet??

Please share roughly diagram of this to understand your requirement.

Although we use Twice NAT. As per your query you want to change source ip to 192.168.50.0 while going to 192.168.200.0 ??

Please find below example

nat  ( inside,outside) source dynamic IP_192.168.100.0(local IP) IP_192.168.50.0 (Global IP) destination dynamic IP_192.168.200.0 IP_192.168.200.0

so when 192.168.100.x  will access 192.168.200.x it will take 192.168.50.x.

Regards

Pankaj

diahvs123
Level 1
Level 1

Thanks for your replies. It's working, except for 1 thing, i can't reach the ASA (192.168.100.250) from ip 192.168.200.0/24.I can reach all other hosts in network 192.168.100.0/24 (by using 192.168.50.0/24).

Any ideas?

This is the configuration:

object network LAN50-NAT

subnet 192.168.50.0 255.255.255.0

object network LAN200

subnet 192.168.200.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.50.0 255.255.255.0 192.168.200.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200

Hi,

If you only have one host of the whole 192.168.100.0/24 network that is not reachable by its NAT IP address through the L2L VPN then I would start looking for the problem on the actual host.

Since we are doing NAT between equal sized networks, the end of the IP addres should always match between the hosts. By accessing 192.168.50.250 you should be forwarded to 192.168.100.250.

Naturally when the L2L VPN connection is up you can try and see if the "packet-tracer" would tell anything

packet-tracer intput outside tcp 192.168.200.x 12345 192.168.50.250

And post the output here.

IF the IP address 192.168.100.250 is the interface IP address of the ASA then these connections are supposed to fail. The only connections you can take from behind another interface (outside) to another interface (inside) is management connections if you enable it with the command

management-access inside

Please remember to mark a reply as the correct answer if it answered your question.

- Jouni

Hi Jouni,

I already tried to add management-access inside, and added 192.168.200.0/24 to the management addresses but unfortunately it does not work.

packet-tracer input outside tcp 192.168.200.50 12345 192.168.100.250$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN50 destination static LAN200 LAN200

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.50.250/12345 to 192.168.100.250/12345

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Your destination address is the real IP address and not the NAT IP address. You need to use the NAT IP address of 192.168.50.250 as the destination IP address as the connection will be coming towards that IP address.

Also you could try changing the current NAT rule a bit

no nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200 route-lookup

- Jouni

Sorry, wrong trace. This is the correct one:

When i try to change the NAT rule:   

ERROR: Option route-lookup is only allowed for static identity case

packet-tracer input outside tcp 192.168.200.50 12345 192.168.50.250$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN50 destination static LAN200 LAN200

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.50.250/12345 to 192.168.100.250/12345

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Oh right,

Forgot that it cant be used here.

In the setup where this should work is when you are NOT doing NAT for your local network and the network which holds the ASAs "inside" interface IP address.

Then again Cisco also states that you should NOT configuration NAT for your interface IP address which this will do.

So it might even be that with this setup it might not be possible with this NAT configuration.

The thing I would test if possible would be to exempt the ASA "inside" interface IP address from the NAT completely. But this would require adding it to the L2L VPN ACL also and I dont know if this is possible. If the reason for this NAT was overlapping networks between sites then it naturally wouldnt be possible.

The configuration I was thinking was

object network ASA-INSIDE

host 192.168.100.250

object network REMOTE-LAN

subnet 192.168.200.0 255.255.255.0

nat (inside,outside) 1 source static ASA-INSIDE ASA-INSIDE destination static REMOTE-LAN REMOTE-LAN route-lookup

But as I said you would also have to add

access-list outside_cryptomap_2 extended permit ip host 192.168.100.250 192.168.200.0 255.255.255.0

And the remote end would have to add the counterpart for this ACL

- Jouni

Hi,

If I understand your problem and it is what i think it is, then my friend here is a link that will both help teach you how to do it yourself and solve your issue...it helped me!!

http://www.youtube.com/watch?v=ARTXlo2hFQ0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: