07-02-2013 01:38 AM
ASA Version 8.4(4)1
I have a site to site VPN between these sites.
SiteA
192.168.100.0/24
SiteB
192.168.200.0/24
I’m trying to use NAT to connect on different IP’s from SiteB to SiteA
I would like to connect from SiteB to SiteA on IP 192.168.50.0/24 (instead of 192.168.100.0/24) but this don’t seem to work.
What should be the local/destination networks on my VPN?
192.168.50.0/24(NAT) or 192.168.100.0/24(REAL)
How should I use NAT on Site A? I’m not using NAT on SiteB.
This is what I have so far, but from siteB (192.168.200.0/24) I cannot connect to SiteA on IP 192.168.50.77)
access-list outside_cryptomap_2 extended permit ip 192.168.50.0 255.255.255.0 192.168.200.0 255.255.255.0
nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp route-lookup
object network HP-Printer (192.168.100.77)
nat (inside,outside) static HP-Printer-NAT (192.168.50.77)
07-02-2013 01:44 AM
Hi,
Have you confirmed that the L2L VPN connection comes up when traffic is generated to the NAT IP address?
To me the NAT configuration seem fine but then again without seeing the whole NAT configuration we wont know if there is possibly some NAT configuration that might be overriding it currently.
For testing purposes you could try to use the "packet-tracer" command which would both confirm that the correct NAT rule is hit and tha the L2L VPN connections is fine.
Try issuing the following "packet-tracer" command TWICE and then copy/paste the second output here
packet-tracer input inside tcp 192.168.100.100 12345 192.168.200.200 3389
The above command is just meant to provide us with some troubleshooting information.
- Jouni
07-02-2013 02:06 AM
The tunnel seems to be online after i initiate traffic (192.168.200.50 > 192.168.50.77).
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_in_acl in interface inside
access-list inside_in_acl extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network HP-Printer
nat (inside,outside) static HP-Printer-NAT
Additional Information:
Static translate 192.168.100.77/12345 to 192.168.50.77/12345
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 74021, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
07-02-2013 04:33 AM
Hi,
Actually I think I completely missed the NAT configuration in the original post for some reason
You have the same "object" twice in the NAT statement while it should have first the real source and then the mapped source
nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp route-lookup
This would seem to me to actually use the
NETWORK_OBJ_192.168.50.0_24
As the source "object". You should replace the first NETWORK_OBJ_192.168.50.0_24 with an "object" that contains the 192.168.100.0/24 network.
It might look something like this depending on your "object" names
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.50.0_24 destination static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 no-proxy-arp route-lookup
What this will do is NAT the whole 192.168.100.0/24 network to 192.168.50.0/24
So 192.168.100.77 will be 192.168.50.77
If it still doesnt work then it would seem to me that something else than NAT must be causing the problems. You could check
show run all sysopt
This would enable us to see if you have a "sysopt" command that might make it so that an ACL rule is required to allow traffic incoming from the remote site.
Hope this helps
- Jouni
07-02-2013 04:50 AM
Hi Jo,
Why are you using static NAT as we use static for one to one mapping , here you have used whole subnet??
Please share roughly diagram of this to understand your requirement.
Although we use Twice NAT. As per your query you want to change source ip to 192.168.50.0 while going to 192.168.200.0 ??
Please find below example
nat ( inside,outside) source dynamic IP_192.168.100.0(local IP) IP_192.168.50.0 (Global IP) destination dynamic IP_192.168.200.0 IP_192.168.200.0
so when 192.168.100.x will access 192.168.200.x it will take 192.168.50.x.
Regards
Pankaj
07-12-2013 02:53 AM
Thanks for your replies. It's working, except for 1 thing, i can't reach the ASA (192.168.100.250) from ip 192.168.200.0/24.I can reach all other hosts in network 192.168.100.0/24 (by using 192.168.50.0/24).
Any ideas?
This is the configuration:
object network LAN50-NAT
subnet 192.168.50.0 255.255.255.0
object network LAN200
subnet 192.168.200.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.50.0 255.255.255.0 192.168.200.0 255.255.255.0
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200
07-12-2013 03:05 AM
Hi,
If you only have one host of the whole 192.168.100.0/24 network that is not reachable by its NAT IP address through the L2L VPN then I would start looking for the problem on the actual host.
Since we are doing NAT between equal sized networks, the end of the IP addres should always match between the hosts. By accessing 192.168.50.250 you should be forwarded to 192.168.100.250.
Naturally when the L2L VPN connection is up you can try and see if the "packet-tracer" would tell anything
packet-tracer intput outside tcp 192.168.200.x 12345 192.168.50.250
And post the output here.
IF the IP address 192.168.100.250 is the interface IP address of the ASA then these connections are supposed to fail. The only connections you can take from behind another interface (outside) to another interface (inside) is management connections if you enable it with the command
management-access inside
Please remember to mark a reply as the correct answer if it answered your question.
- Jouni
07-12-2013 03:46 AM
Hi Jouni,
I already tried to add management-access inside, and added 192.168.200.0/24 to the management addresses but unfortunately it does not work.
packet-tracer input outside tcp 192.168.200.50 12345 192.168.100.250$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN50 destination static LAN200 LAN200
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.50.250/12345 to 192.168.100.250/12345
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-12-2013 04:24 AM
Hi,
Your destination address is the real IP address and not the NAT IP address. You need to use the NAT IP address of 192.168.50.250 as the destination IP address as the connection will be coming towards that IP address.
Also you could try changing the current NAT rule a bit
no nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN153-NAT destination static LAN200 LAN200 route-lookup
- Jouni
07-12-2013 04:36 AM
Sorry, wrong trace. This is the correct one:
When i try to change the NAT rule:
ERROR: Option route-lookup is only allowed for static identity case
packet-tracer input outside tcp 192.168.200.50 12345 192.168.50.250$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 LAN50 destination static LAN200 LAN200
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.50.250/12345 to 192.168.100.250/12345
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
07-12-2013 04:42 AM
Oh right,
Forgot that it cant be used here.
In the setup where this should work is when you are NOT doing NAT for your local network and the network which holds the ASAs "inside" interface IP address.
Then again Cisco also states that you should NOT configuration NAT for your interface IP address which this will do.
So it might even be that with this setup it might not be possible with this NAT configuration.
The thing I would test if possible would be to exempt the ASA "inside" interface IP address from the NAT completely. But this would require adding it to the L2L VPN ACL also and I dont know if this is possible. If the reason for this NAT was overlapping networks between sites then it naturally wouldnt be possible.
The configuration I was thinking was
object network ASA-INSIDE
host 192.168.100.250
object network REMOTE-LAN
subnet 192.168.200.0 255.255.255.0
nat (inside,outside) 1 source static ASA-INSIDE ASA-INSIDE destination static REMOTE-LAN REMOTE-LAN route-lookup
But as I said you would also have to add
access-list outside_cryptomap_2 extended permit ip host 192.168.100.250 192.168.200.0 255.255.255.0
And the remote end would have to add the counterpart for this ACL
- Jouni
07-16-2013 02:44 AM
Hi,
If I understand your problem and it is what i think it is, then my friend here is a link that will both help teach you how to do it yourself and solve your issue...it helped me!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: