Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Outside NAT Problem!!!

Hi everybody,

My situation is as follows:
My Pre 8.3 ASA is connected to two outside networks: the ISP with security level 0, and a separate agency network with security level 10.  We are having a problem connecting to the agency network from a L2L VPN tunnel coming through the ISP interface.  These VPN branch users can communicate with our entire corporate network and I'm currently using outside-to-outside nat to get them to talk to the internet out the same ISP interface they come in through, but they can't talk to the agency network at all. *All inside users have full communication with the agency network.*  

I receive the following error:
------------------------------
asa1# sh nat outside agency
ERROR: No matching NAT policy found
------------------------------
If I statically nat one user from the VPN branch to one of the agency pool addresses, I have full connectivity between that VPN user and the agency network.
This command makes it work: static (outside,agency) 16x.5x.1x.12x 10.18.1.1

My configuration:
nat (outside) 20 access-list vpn_outside_nat
nat (inside) 0 access-list NONAT
nat (inside) 30 access-list inside_nat_outbound
nat (inside) 20 0.0.0.0 0.0.0.0
global (agency) 20 16x.5x.1x.1x-1x.5x.1x.12x
global (agency) 20 16x.5x.1x.1x
global (outside) 20 20x.1x.2x.1x
global (outside) 10 20x.1x.2x.1x netmask 255.255.255.0
global (outside) 30 20x.1x.2x.1x netmask 255.255.255.255

access-list vpn_outside_nat extended permit ip 10.0.0.0 255.0.0.0 any

access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0

access-list inside_nat_outbound extended permit ip host 192.168.1.12 any

 


Please let me know if you need any more information to help.  I appreciate any answers!  
Thanks!

32 REPLIES
New Member

If Im reading this correctly

If Im reading this correctly you are trying to connect two VPN sites through the same interface.

try: (config)#same-security-traffic permit intra-interface

this allows communication between peers connected to the same interface

New Member

Thanks for the reply.  That

Thanks for the reply.  That isn't what I'm trying to accomplish, though.  That particular part already works just fine. These are two different interfaces (outside, sec.=0, agency, sec.=10).  The issue is that the VPN users on the outside interface can't communicate with the users in the agency network.

VIP Green

Are the VPN user connecting

Are the VPN user connecting over a site to site VPN or is this a remote access VPN solution?

is the agency network traffic comming in on the agency interface?  if so then you are missing a no nat statement for that interface.

If that doesn't work, please post a network diagram indicating how the agency network and VPN network connects to the ASA.

Also run a packet tracer while the VPN user PC is connect to the VPN and post the results here.

packet-tracer input agency tcp <agency IP> 12345 <VPN IP> 80 detail

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

The VPN users are connecting

The VPN users are connecting over a site to site VPN from an 1841 to the ASA.

I tried the no nat statement for the agency interface, and still no communication.  I even tried a dynamic nat statement for it, and still nothing.

 

Here's the output of the packet-tracer:

asa1# packet- input agency tcp 1xx.5x.3x.1x 12345 10.18.1.1 80 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_agency in interface agency
access-list acl_agency extended permit ip host 1xx.5x.3x.1x 10.0.0.0 255.0.0.0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb954718, priority=12, domain=permit, deny=false
        hits=1, user_data=0xcbf4fc78, cs_id=0x0, flags=0x0, protocol=0
        src ip=1xx.5x.3x.1x, mask=255.255.255.255, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc88014f8, priority=0, domain=permit-ip-option, deny=true
        hits=496265, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb8c98b0, priority=70, domain=inspect-http, deny=false
        hits=20, user_data=0xcb8c8fb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcc99ae50, priority=70, domain=encrypt, deny=false
        hits=35412, user_data=0x132f3dac, cs_id=0xd4f14878, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.18.0.0, mask=255.255.0.0, port=0

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd06f1c50, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=38406, user_data=0x132f6b24, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.18.0.0, mask=255.255.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 20 access-list vpn_outside_nat
  match ip outside 10.0.0.0 255.0.0.0 outside any
    dynamic translation to pool 20 (2x.1x.2x.1x)
    translate_hits = 80054, untranslate_hits = 7242
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd4f0e198, priority=2, domain=host, deny=false
        hits=265627, user_data=0xcd09b6d8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xc87f2bc0, priority=0, domain=permit-ip-option, deny=true
        hits=864567193, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1039870772, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: agency
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

VIP Green

From the output of the packet

From the output of the packet tracer I would say that the problem is at the remote s2s vpn device.  The packet is allowed and it is entering and exiting the correct interfaces.

Have a look at the remote device..if you have admin access to it that is. Otherwise as the administrators of the remote site to check their configuration, more specifically their no nat statements and the crypto ACLs.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I've looked at the remote

I've looked at the remote 1841 and everything looks fine.  There is no nat being performed at all, because it is used strictly for VPN access, and the crypto ACLs specify that anything coming from 10.18.0.0 (that branch's subnet) should be placed in the tunnel.

Traffic flows from this VPN network to ANYWHERE else just fine (inside and outside) through our ASA.  It just doesn't go to the agency network.

VIP Green

Could you please post a

Could you please post a network diagram of how this solution connects together.

How are you testing the connectivity over the VPN?

On the ASA...and on the 1841 router issue the command show crypto ipsec sa and show crypto isakmp (the isakmp command might differ on the ASA depending on the version you are running).

Please post a full running config of both sides of the tunnel (sanitised) aswell.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I've attached a small diagram

I've attached a small diagram illustrating the network.  

To test connectivity from the VPN, I'm simply pinging from a client on that network to a client on the agency network.  The VPN clients are private addresses and the agency network is all public addresses.

Here's the output on the 1841:

xxxx-xx-1841#sh crypto ipsec sa

interface: FastEthernet0/0/0
    Crypto map tag: CRYPTO-MAP, local addr 2xx.1xx.2xx.2xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.18.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 2xx.1xx.2xx.1xx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 43532623, #pkts encrypt: 43532623, #pkts digest: 43532623
    #pkts decaps: 45942079, #pkts decrypt: 45942079, #pkts verify: 45942079
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2150, #recv errors 8

     local crypto endpt.: 2xx.1xx.2xx.2xx, remote crypto endpt.: 2xx.1xx.2xx.1xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0/0
     current outbound spi: 0x636A5937(1667914039)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xFDEEF343(4260295491)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2263, flow_id: FPGA:263, sibling_flags 80000046, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4417816/3413)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x636A5937(1667914039)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2264, flow_id: FPGA:264, sibling_flags 80000046, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4427473/3413)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

 

 

Here's the output on the ASA:

asa1# sh crypto isakmp

   Active SA: 9
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 9


5   IKE Peer: 2xx.1xx.2xx.2xx
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Global IKE Statistics
Active Tunnels: 8
Previous Tunnels: 11083
In Octets: 4196166801
In Packets: 1330363
In Drop Packets: 580269
In Notifys: 104767
In P2 Exchanges: 54915
In P2 Exchange Invalids: 107
In P2 Exchange Rejects: 42300
In P2 Sa Delete Requests: 19
Out Octets: 159932732
Out Packets: 1428588
Out Drop Packets: 2343
Out Notifys: 631581
Out P2 Exchanges: 21275
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 29494
Initiator Tunnels: 109440
Initiator Fails: 108383
Responder Fails: 143692
System Capacity Fails: 0
Auth Fails: 143040
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 394232

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

 

Running-config on 1841:

Building configuration...

Current configuration : 2315 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain lookup source-interface FastEthernet0/1.181
ip name-server 10.1.4.22
ip name-server 192.168.1.53
!
multilink bundle-name authenticated
!
password encryption aes
!
!
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 6 xxx address 2xx.1xx.2xx.1xx
!
!
crypto ipsec transform-set TRANSFORM-SET esp-3des esp-sha-hmac
!
crypto map CRYPTO-MAP 1 ipsec-isakmp
 set peer 2xx.1xx.2xx.1xx
 set transform-set TRANSFORM-SET
 match address VPN-TRAFFIC
!
!
!
!
track 1 interface FastEthernet0/0 line-protocol
!
!
!
interface Loopback1
 no ip address
 shutdown
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.181
 encapsulation dot1Q 181
 ip address 10.18.1.1 255.255.255.0
 ip helper-address 10.1.4.22
 ip helper-address 192.168.1.58
!
interface FastEthernet0/1.182
 encapsulation dot1Q 182
 ip address 10.18.2.1 255.255.255.0
 ip helper-address 10.1.4.22
 ip helper-address 192.168.1.58
!
interface FastEthernet0/0/0
 ip address 2xx.1xx.2xx.2xx 255.255.255.252
 ip access-group block_untrusted_remote in
 duplex auto
 speed auto
 crypto map CRYPTO-MAP
!
interface FastEthernet0/0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 2xx.1xx.2xx.2xx
no ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.18.0.0 0.0.255.255 any
ip access-list extended block_untrusted_remote
 permit ip 2xx.1xx.2xx.1xx 0.0.0.15 any
 permit ip host 2xx.1xx.2xx.2xx host 2xx.1xx.2xx.2xx

 

 

Running-config on ASA:

hostname asa1
names
name 192.168.6.0 VLAN6
name 192.168.4.0 VLAN4
name 192.168.5.0 VLAN5
name 192.168.0.0 Inside-subnet
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 2xx.1xx.2xx.178 255.255.255.240
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.12.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif agency
 security-level 10
 ip address 1xx.5xx.1xx.3 255.255.255.128
!
interface GigabitEthernet0/3
 description DMZ interface
 nameif DMZ2
 security-level 50
 ip address 10.30.30.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 0
 ip address 10.10.10.3 255.255.255.0
!

!
time-range 5:30p
 absolute end 17:30 17 January 2014
!
boot system disk0:/asa803-k8.bin
ftp mode passive

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list acl_agency extended permit ip any host 1xx.5xx.1xx.123
access-list acl_agency extended permit ip host 1xx.5xx.3xx.130 10.0.0.0 255.0.0.0


access-list inside_nat_outbound extended permit ip host 192.168.1.12 any

access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0
access-list l2l_vpn-branch extended permit ip any 10.18.0.0 255.255.0.0
access-list vpn_outside_nat extended permit ip 10.0.0.0 255.0.0.0 any

mtu outside 1500
mtu inside 1500
mtu agency 1500
mtu DMZ2 1500
mtu management 1500
no failover
failover polltime unit 15 holdtime 45
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400

global (outside) 20 2xx.1xx.2xx.190
global (outside) 10 2xx.1xx.2xx.185 netmask 255.255.255.0
global (outside) 30 2xx.1xx.2xx.184 netmask 255.255.255.255
global (agency) 20 1xx.5xx.1xx.10-1xx.5xx.1xx.122
global (agency) 20 1xx.5xx.1xx.125
nat (outside) 20 access-list vpn_outside_nat
nat (inside) 0 access-list NONAT
nat (inside) 30 access-list inside_nat_outbound
nat (inside) 20 0.0.0.0 0.0.0.0

static (inside,agency) 1xx.5xx.1xx.123 10.1.4.45 netmask 255.255.255.255

access-group acl_out in interface outside
access-group acl_inside in interface inside
access-group acl_agency in interface agency

route inside 10.18.0.0 255.255.0.0 192.168.12.2 1 track 1
route outside 0.0.0.0 0.0.0.0 2xx.1xx.2xx.177 1
route inside 10.1.0.0 255.255.0.0 192.168.12.2 1
route inside 10.2.0.0 255.255.0.0 192.168.12.2 1
route inside 10.3.0.0 255.255.0.0 192.168.12.2 1
route inside 10.4.0.0 255.255.0.0 192.168.12.2 1
route inside 10.5.0.0 255.255.0.0 192.168.12.2 1
route inside 10.6.0.0 255.255.0.0 192.168.12.2 1
route inside 10.7.0.0 255.255.0.0 192.168.12.2 1
route inside 10.8.0.0 255.255.0.0 192.168.12.2 1
route inside 10.9.0.0 255.255.0.0 192.168.12.2 1
route inside 10.10.0.0 255.255.0.0 192.168.12.2 1
route inside 10.11.0.0 255.255.0.0 192.168.12.2 1
route inside 10.12.0.0 255.255.0.0 192.168.12.2 1
route inside 10.13.0.0 255.255.0.0 192.168.12.2 1
route inside 10.14.0.0 255.255.0.0 192.168.12.2 1
route inside 10.16.0.0 255.255.0.0 192.168.12.2 1
route inside 10.17.0.0 255.255.0.0 192.168.12.2 1
route agency 1xx.1xx.1xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route agency 1xx.5xx.3xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route agency 1xx.5xx.6xx.0 255.255.255.0 1xx.5xx.1xx.1 1
route inside 172.16.0.0 255.255.0.0 192.168.12.2 1
route inside 172.17.0.0 255.255.0.0 192.168.12.2 1
route inside 172.19.0.0 255.255.0.0 192.168.12.2 1
route inside 172.31.0.0 255.255.0.0 192.168.12.2 1
route inside 172.32.0.0 255.255.0.0 192.168.12.2 1
route inside 192.168.1.0 255.255.255.0 192.168.12.2 1
route inside 192.168.2.0 255.255.255.0 192.168.12.2 1
route inside 192.168.3.0 255.255.255.0 192.168.12.2 1
route inside VLAN4 255.255.255.0 192.168.12.2 1
route inside VLAN5 255.255.255.0 192.168.12.2 1
route inside VLAN6 255.255.255.0 192.168.12.2 1
route inside 192.168.8.0 255.255.255.0 192.168.12.2 1
route inside 192.168.11.0 255.255.255.0 192.168.12.2 1
route inside 192.168.13.0 255.255.255.0 192.168.12.2 1
route inside 192.168.254.0 255.255.255.0 192.168.12.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

http server enable
http 10.2.0.0 255.255.0.0 inside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside

sla monitor 1
 type echo protocol ipIcmpEcho 10.18.1.1 interface inside
 num-packets 3
 timeout 1000
 frequency 3
sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set esp-des esp-des esp-none
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map CHCS 10 match address l2l_vpn-branch
crypto map CHCS 10 set peer 2xx.1xx.2xx.2xx
crypto map CHCS 10 set transform-set ESP-3DES-SHA
crypto map CHCS interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
no crypto isakmp nat-traversal
!
track 1 rtr 1 reachability

management-access management
priority-queue outside
  queue-limit   2000
  tx-ring-limit 15
priority-queue inside
  queue-limit   2000
  tx-ring-limit 15
threat-detection basic-threat
threat-detection statistics

tunnel-group 2xx.1xx.2xx.2xx type ipsec-l2l
tunnel-group 2xx.1xx.2xx.2xx ipsec-attributes
 pre-shared-key *
!

!

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect tftp
  inspect icmp
policy-map global-policy
 class inspection_default
!
service-policy global_policy global

VIP Green

Just out of curiosity, any

Just out of curiosity, any reason why you have this in your configuration on the 1841?

interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 track 1

Should the following command be pointing out the outside interface, isn't the 1841 located off the outside interface? If so then this is part of the problem. change it to point out the correct interface and correct next hop IP.

route inside 10.18.0.0 255.255.0.0 192.168.12.2 1 track 1

Also you need to have a no NAT for the agency interface.

nat (agency) 0 access-list NONAT

Please correct these and test, and let us know how it goes.

--

Please select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

That statement on the 1841

That statement on the 1841 and ASA were for testing a failover between INSIDE MPLS and OUTSIDE VPN.  We haven't gotten to that point yet but it was in the works.  The routing tables on both the 1841 and the ASA are both using their default routes at the moment for communication.  You can ignore the statements referring to tracking objects, sorry I didn't mention it.

I tried adding a nat exemption statement on the ASA again and it didn't make a difference.  I have a strong feeling that my troubles are somehow because of this error. When I added the NONAT statement, I was at least able to get an output from the first command, but still not the second, as mentioned in my first post.

 

asa1# sh nat agency outside
  match ip agency any outside 10.0.0.0 255.0.0.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
asa1# sh nat outside agency
ERROR: No matching NAT policy found

 

Can you check if this is

Can you check if this is correct?

global (agency) 20 1xx.5xx.1xx.10-1xx.5xx.1xx.122
global (agency) 20 1xx.5xx.1xx.125
nat (outside) 20 access-list vpn_outside_nat

 

From what I can see there, you are translating the 10.18.0.0/16 remote network into a 1xx.5xx.1xx. IP.

 

Try to do this:

 

nat (outside) 0 access-list outside_to_agency_nonat

 

access-list outside_to_agency_nonat permit ip 10.18.0.0 0.0.255.255 any

New Member

I've tried that, but they

I've tried that, but they still don't communicate.  I believe we need to be nat'ing to those global ip's in order to communicate with the agency network.  

The problem seems to be that it's NOT translating the 10.18.0.0 network into a 1xx.5xx.1xx.xxx IP.  NAT doesn't seem to be working on anything going from the outside to the agency interface, for some reason.

VIP Green

Just for clarification, the

Just for clarification, the no nat statement needs to be implemented on the ingress interface for the non-encrypted traffic...so in this case the agency interface and not the outside interface.

Also when doing VPN you do not want to translate the VPN traffic to the public IP...this is the reason for the no nat.

I suggest issuing the command clear xlate and then test connectivity.  If this setup is currently in use do so outside of working hours or during a service window...or atleast tell your users that they will lose connectivity for a short period of time.  I am thinking that you have had a NAT statement in your configuration that has included the agency subnet and it has not timed out.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Okay, I've tried to put a nat

Okay, I've tried to put a nat exemption coming from the agency interface and cleared the translation tables, but still no connectivity.  Any ideas?

VIP Green

Could you add the no nat to

Could you add the no nat to the agency interface and then issue the packet tracer again.

I see that the NAT statements are missing from the 1841 could confirm that the traffic from the 10.18 network to the agency network is being exempted from NAT?

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer

What about nat (agency) 0

What about nat (agency) 0 access-list xxxx? This is a normal issue with return traffic sometimes as the return traffic is being dropped or translated into a different IP.
VIP Green

The poster has indicated that

The poster has indicated that he has added a nat 0 to the agency interface but the issue persists.

 

-- Please remember to rate and select a correct answer
New Member

From the packet-tracer output

From the packet-tracer output, it seems that the return traffic coming from the VPN going to the agency network is being nat'ed to the global address that is only supposed to be for the outside interface instead of the global address intended for the agency network. That would explain why it can't communicate, but how do I fix this and get it to NAT to the global (agency) pool instead of the global (outside) pool?

 

Here's the output:

asa1# packet-t input agency tcp 1xx.5xx.3xx.1xx 12345 10.18.1.1 80 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_agency in interface agency
access-list acl_agency extended permit ip host 1xx.5xx.3xx.1xx 10.0.0.0 255.0.0.
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb954718, priority=12, domain=permit, deny=false
        hits=2, user_data=0xcbf4fc78, cs_id=0x0, flags=0x0, protocol=0
        src ip=1xx.5xx.3xx.1xx, mask=255.255.255.255, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc88014f8, priority=0, domain=permit-ip-option, deny=true
        hits=496646, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb8c98b0, priority=70, domain=inspect-http, deny=false
        hits=21, user_data=0xcb8c8fb0, cs_id=0x0, use_real_addr, flags=0x0,
ocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=80

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (agency) 0 access-list NONAT
  match ip agency any outside 10.0.0.0 255.0.0.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 1
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcbd9e088, priority=6, domain=nat-exempt, deny=false
        hits=0, user_data=0xcc144078, cs_id=0x0, use_real_addr, flags=0x0, p
col=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.0.0.0, mask=255.0.0.0, port=0

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xc7695f80, priority=70, domain=encrypt, deny=false
        hits=5734, user_data=0x1338149c, cs_id=0xd4f14878, reverse, flags=0x
rotocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.18.0.0, mask=255.255.0.0, port=0

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd06f2c40, priority=69, domain=ipsec-tunnel-flow, deny=false
        hits=6035, user_data=0x13384f54, cs_id=0x0, reverse, flags=0x0, prot
=0
        src ip=10.18.0.0, mask=255.255.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 20 access-list vpn_outside_nat
  match ip outside 10.0.0.0 255.0.0.0 outside any
    dynamic translation to pool 20 (2xx.1xx.2xx.190)
    translate_hits = 204581, untranslate_hits = 26424
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xd4f0e198, priority=2, domain=host, deny=false
        hits=693456, user_data=0xcd09b6d8, cs_id=0x0, reverse, flags=0x0, pr
ol=0
        src ip=10.0.0.0, mask=255.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xc87f2bc0, priority=0, domain=permit-ip-option, deny=true
        hits=872576652, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protoc
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1048522497, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: agency
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

VIP Green

Even though it shows a match

Even though it shows a match on the NAT to the outside global, it is the NAT0 which takes precedence:

Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (agency) 0 access-list NONAT
  match ip agency any outside 10.0.0.0 255.0.0.0

But to see if this is the issue, you could add a more specific ACL that matches the exact source and destination subnets.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Well I'm talking about Phase

Well I'm talking about Phase 9, where it appears the return traffic from the VPN gets nat'ed to the outside interface pool.  That would explain why it doesn't communicate.  I need to NAT from the outside interface to the agency interface pool, and it doesn't seem that's currently happening, for some reason.

VIP Green

You don't want to NAT

You don't want to NAT anything when doing VPN...unless you have an address overlap.  Which is why the NAT exempt is there. NAT exempt will match first even though phase 9 states that there is a match it will not be executed.  It is just part of the checks.

I suggest doing a packet capture between the agency interface and the outside interface and capture specifically the traffic from the addresses you are testing two and from.  The result should be that you requests and replies on the agency interface and nothing on the outside interface...this will confirm that traffic is being encrypted on the ASA side...if you see requests and/or replies on the outside interface then traffic is not being encrypted.

I suggest using the ASDM as it is easier.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

--

Please rememeber to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

The output below is what

The output below is what happens when traffic from the inside goes out to the agency network.  You can see that it is being nat'ed to the agency pool.  I want the same thing to happen with the VPN traffic, don't I?  In theory, there's nothing different about the VPN traffic once it's decrypted, other than the fact that it's coming from the outside interface.

 

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 20 0.0.0.0 0.0.0.0
  match ip inside any agency any
    dynamic translation to pool 20 (1xx.5xx.1xx.1xx)
    translate_hits = 1756, untranslate_hits = 114
Additional Information:
Dynamic translate 10.6.1.1/0 to 1xx.5xx.1xx.1xx/0 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xcfe7d268, priority=1, domain=nat, deny=false
        hits=1769, user_data=0xcbf4fcb8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 20 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 20 (2xx.1xx.2xx.190)
    translate_hits = 10728121, untranslate_hits = 221934
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc8979d80, priority=1, domain=host, deny=false
        hits=8891939, user_data=0xcc03bf80, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

VIP Green

is the agency interface

is the agency interface connected to a network consisting of public IPs (ie. Internet)?

you could try to add a nat statement as the following.

no nat (outside) 20 access-list vpn_outside_nat

nat (outside) 20 10.0.0.0 255.0.0.0

could be that the traffic is not matching the ACL.

--

Please remember to select a correct answer and rate helpful posts

 

-- Please remember to rate and select a correct answer
New Member

Yes, the network consists of

Yes, the network consists of public IPs.  I've tried that but I still get the "no NAT policy found" error.  It seems like it's just not applying it at all, even after a "clear xlate".  Could this be a bug?  

VIP Green

I am not sure if this is a

I am not sure if this is a bug or a configuration issue...I will try to lab this scenario and get back to you...I don't have a 8.2 to do this on but I will see what result I get on my 8.4 ASA.

--

Please remember to select a correct answer and rate helpful posts
 

-- Please remember to rate and select a correct answer
VIP Green

Have a look at the following

Have a look at the following highlighted NAT rules.

global (outside) 20 2xx.1xx.2xx.190
global (outside) 10 2xx.1xx.2xx.185 netmask 255.255.255.0
global (outside) 30 2xx.1xx.2xx.184 netmask 255.255.255.255
global (agency) 20 1xx.5xx.1xx.10-1xx.5xx.1xx.122
global (agency) 20 1xx.5xx.1xx.125

nat (outside) 20 access-list vpn_outside_nat
nat (inside) 0 access-list NONAT
nat (inside) 30 access-list inside_nat_outbound
nat (inside) 20 0.0.0.0 0.0.0.0

I am wondering if perhaps the reason you are having issues is that you have both global outside and agency with the same defining number.  I suggest revising you NAT statements and giving the global agency entries a different number.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I've tried changing the pool

I've tried changing the pool numbers to be different in a nat statement and a global statement, and I still get the error "no NAT policy found."  I still have no communication that way.

VIP Green

It is quite possible that

It is quite possible that this is a bug...or perhaps a restart of the ASA will sort things out.

It is also possible that this is not supported on the ASA...though I find that hard to believe.  I have never tried to do what you are trying, but hairpinning works fine, so do not know why it should not work going to another interface.

If you do try a restart and the problem still persists, I suggest opening a TAC case to find out why this is happening.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I just rebooted the ASA to no

I just rebooted the ASA to no avail.  Still don't have a NAT policy for outside to care.  It seems to be a bug... unless we're missing something in the configuration?

706
Views
0
Helpful
32
Replies