10-20-2007 05:03 AM - edited 03-09-2019 07:03 PM
Hi,
I'm trying to create a simple site2site vpn link, the only thing "un-ordinary" is that the protected network behind the remote vpn-firewall consists of public ip addresses.
When trying to access the adresses, the firewall sends the inside client directly to the public address - not through the tunnel.
I've tried everything.. :(
Anyone have any idea how to solve this?
Thanks in advance,
Rasmus
Solved! Go to Solution.
10-22-2007 04:43 AM
Typically, lan to lan traffic is not nat'd. If you want to nat it you must change your crypto acl to include the nat'd traffic.
Right now you have...
access-list outside_cryptomap_RKI extended permit ip object-group int_scorex_servers object-group ext_rki_servers
What is defined as int_scorex_servers? Probably the private ip addresses of the servers right? You would have to change this to the nat'd ip address.
access-list outside_cryptomap_RKI extended permit ip nat'd.ip.address object-group ext_rki_servers
10-20-2007 07:55 AM
The remote networks must be defined in your interesting traffic acl and your nat exemption acl. Post your config and what the remote network is.
10-21-2007 05:40 AM
Hi,
Thanks for you reply.
First of all, a few details I forgot to mention:
It's an ASA 5510 running ver. 8.0(2)
Then to the config (slightly shortened). As you'll notice, there are two tunnels. The first one works fine. It terminates in a PIX in sweden, which has private ip addresses on it's inside interface.
The other one (that doesn't work) has public ip addresses on it's inside interface (and that's what I think is the source of this problem. Because of this I have made not NAT exemption rule, 'cause the traffic will only go from us to "them".
The object-group ext_rki_servers are the mentioned public "inside" network. The tunnel that works is 194.x.x.x and the one that doesn't is the 193.x.x.x.
Config:
access-list inside_nat0_outbound extended permit ip object-group net_all_internal object-group net_sweden
access-list traffic_from_inside extended permit ip object-group net_all_internal object-group net_sweden
access-list traffic_from_inside extended permit tcp object-group int_scorex_servers object-group ext_rki_servers object-group DM_INLINE_TCP_2 log debugging
access-list outside_cryptomap_RKI extended permit ip object-group int_scorex_servers object-group ext_rki_servers
access-list fiber_sweden_cryptomap extended permit ip object-group net_all_internal object-group net_sweden
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 102 access-list inside_nat_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group traffic_from_outside in interface outside
access-group traffic_from_inside in interface inside
timeout xlate 3:00:00
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set access_dk_se esp-aes-192 esp-sha-hmac
crypto map outside_map_RKI 1 match address outside_cryptomap_RKI
crypto map outside_map_RKI 1 set peer 193.x.x.17
crypto map outside_map_RKI 1 set transform-set ESP-3DES-SHA
crypto map outside_map_RKI interface outside
crypto map access_dk_se_map 30 match address fiber_sweden_cryptomap
crypto map access_dk_se_map 30 set peer 194.x.x.42
crypto map access_dk_se_map 30 set transform-set access_dk_se
crypto map access_dk_se_map interface fiber
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable fiber
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
tunnel-group 194.x.x.42 type ipsec-l2l
tunnel-group 194.x.x.42 ipsec-attributes
pre-shared-key *
tunnel-group 193.x.x.17 type ipsec-l2l
tunnel-group 193.x.x.17 ipsec-attributes
pre-shared-key *
10-21-2007 10:32 AM
Shouldn't you also need...
access-list inside_nat0_outbound extended permit ip object-group int_scorex_servers object-group ext_rki_servers
10-22-2007 03:48 AM
I don't know :)
But the traffic from our internal servers needs to be NAT'ed, so I don't think so?`
BR,
Rasmus
10-22-2007 04:43 AM
Typically, lan to lan traffic is not nat'd. If you want to nat it you must change your crypto acl to include the nat'd traffic.
Right now you have...
access-list outside_cryptomap_RKI extended permit ip object-group int_scorex_servers object-group ext_rki_servers
What is defined as int_scorex_servers? Probably the private ip addresses of the servers right? You would have to change this to the nat'd ip address.
access-list outside_cryptomap_RKI extended permit ip nat'd.ip.address object-group ext_rki_servers
10-22-2007 05:14 AM
Correct, that group contains the internal ip addresses.
They are NAT'ed to the external firewall interface upon exit. So I should change the ACL?
Never would have thought of this myself, but I'll give it a go, and get back to you.
Thanks,
Rasmus
10-24-2007 01:27 AM
You were right. I replaced with the public ip of the firewall and we're through :)
Thanks!
10-24-2007 05:24 AM
Good deal, glad it worked out. Thanks for the rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide