Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1290
Views
0
Helpful
3
Replies

VPN NAT Overlap subnets remote ASA interface does not reply

Go to solution
nickhesson
Level 1
Level 1

‎07-11-2012 10:52 PM - edited ‎03-11-2019 04:30 PM

Hello all,

Not really a big problem, but not knowing the answer is killing me.  This is what I have:

Host 1 <-> ASA 5505 <-> VPN connection<-> ASA5510 <-> Host 2

Both hosts can reach each other without issues.  Ping, connect, no problem. 

The problem is when one of the hosts trys to reach the inside interface of the remote ASA.  E.g. Host 1 trying to ping ASA5510 inside interface.  Again Host 1 and 2 have the same subnet address of 10.1.1.0/24.  I have configured the ASA 5505 to do the the NAT translations. 

Here is the ASA 5505 config (the parts that matter):

ASA Version 8.2(5)

!

hostname ASA5505

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.100.102 255.255.255.252

!

access-list vpnACL extended permit ip 10.1.20.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPNnat extended permit ip 10.1.1.0 255.255.255.0 10.1.30.0 255.255.255.0

access-list outacl extended permit icmp any any

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.1.20.0  access-list VPNnat

static (outside,inside) 10.1.30.0 10.1.1.0 netmask 255.255.255.0

!

access-group outacl in interface outside

!

route outside 0.0.0.0 0.0.0.0 192.168.100.101 1

!

crypto ipsec transform-set phase2 esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address vpnACL

crypto map outside_map 10 set peer 172.16.14.50

crypto map outside_map 10 set transform-set phase2

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

!

management-access inside

!

tunnel-group 172.16.14.50 type ipsec-l2l

tunnel-group 172.16.14.50 ipsec-attributes

pre-shared-key *****

Here is the 5510 config:

: Saved

:

ASA Version 8.4(3)

!

hostname ASA5510

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.16.14.50 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

object network insidehosts

subnet 10.1.1.0 255.255.255.0

object network Site443

subnet 10.1.20.0 255.255.255.0

!

access-list VPNacl extended permit ip object insidehosts object outsidehosts

access-list outacl extended permit icmp any any

!

nat (inside,outside) source static insidehosts insidehosts destination static Site443 Site443

!

access-group outacl in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.14.49 1

!

crypto ipsec ikev1 transform-set phase2p esp-aes esp-sha-hmac

crypto map outside_map 69 match address VPNacl

crypto map outside_map 69 set peer 192.168.100.102

crypto map outside_map 69 set ikev1 transform-set phase2p

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

!

management-access inside

!

tunnel-group 192.168.100.102 type ipsec-l2l

tunnel-group 192.168.100.102 ipsec-attributes

ikev1 pre-shared-key *****

Again, this configuration works for all hosts on both subnets.  Except when hosts tries to ping the remote ASA's inside interface.

e.g. Host 1@10.1.1.50 pings/telnet to ASA2@10.1.30.1 fails.

Can anyone clue me as to why not? 

Thanks for the time and support,

Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-11-2012 10:58 PM

NAT won't work on the ASA interfaces itself. NAT will only work for traffic passing through the ASA.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-11-2012 10:58 PM

NAT won't work on the ASA interfaces itself. NAT will only work for traffic passing through the ASA.

0 Helpful

Go to solution
nickhesson
Level 1
Level 1
In response to Jennifer Halim

‎07-12-2012 11:30 AM

Thanks Jennifer for the reply.  Is that just an ASA rule?  Or is there more of a technical reason why not?  Because I see using debug icmp trace, the at ASA's receive the ICMP requests.  But the ASA does not reply. 

Again thanks for the reply.

Nick

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to nickhesson

‎07-12-2012 03:05 PM

Yes, you are absolutely correct. It is by design the ASA interface will not get NATed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card