Solved: Outbound NAT not working for one L2L VPN

comscaleltd · ‎10-14-2010

We have an ASA5510 which has two LAN to LAN IPSEC VPNs configured. The VPN tunnels themselves are up and one VPN works great. But the other VPN doesn't correctly NAT outbound traffic (inbound is fine from all VPN endpoints). When I ping from the ASA using 'ping inside 10.200.4.x', it works. When I ping from a box sitting on the inside subnet I get the following error in the ASA logs:

portmap translation creation failed for udp src inside:10.26.32.2/137 dst outside:10.200.4.x/137

I would be really grateful if someone could point out what I have done wrong with the NAT or routing configuration. This is the first time I have setup two L2L VPNs on one ASA. The relevant parts of the config are below, suitably anonymised.

Edit: I forgot to mention that once this is working I then need to NAT incoming traffic to web.server.public.ip to 10.26.32.2 and add ACL entries for www and https.

Thanks,

Matt.

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.2.3.33 255.255.255.248

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 10.26.32.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.61.1 255.255.255.0

management-only

!

access-list outside_1_cryptomap_1 extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list outside_20_cryptomap_1 extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0

icmp permit any inside

arp timeout 14400

nat (inside) 0 access-list outside_1_cryptomap_1

nat (inside) 1 access-list outside_20_cryptomap_1

nat (inside) 2 0.0.0.0 0.0.0.0

route outside 10.200.4.0 255.255.255.0 broken.vpn.endpoint.ip 1

route outside 0.0.0.0 0.0.0.0 gateway.ip.address.here 1

route outside 192.168.0.0 255.255.0.0 working.vpn.endpoint.ip 1

aaa authentication ssh console LOCAL

http 192.168.61.0 255.255.255.0 management

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-SHA-256 esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer working.vpn.endpoint.ip

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_20_cryptomap_1

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer broken.vpn.endpoint.ip

crypto map outside_map 20 set transform-set ESP-SHA-256

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 5

isakmp policy 20 lifetime 86400

isakmp nat-traversal 20

tunnel-group working.vpn.endpoint.ip type ipsec-l2l

tunnel-group working.vpn.endpoint.ip ipsec-attributes

pre-shared-key *

tunnel-group broken.vpn.endpoint.ip type ipsec-l2l

tunnel-group broken.vpn.endpoint.ip ipsec-attributes

pre-shared-key *

telnet timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.61.2-192.168.61.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Jennifer Halim · ‎10-14-2010

These 2 lines are incorrect. The access-list are crypto access-list and you shouldn't applied that to the NAT statement.

nat (inside) 0 access-list outside_1_cryptomap_1

nat (inside) 1 access-list outside_20_cryptomap_1

Please removes the 2 NAT statements above, but keep the access-list because those are applied to the crypto map.

Then you would need to configure the following:

access-list nonat extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list nonat extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0

nat (inside) 0 access-list nonat

After the above changes, pls perform "clear xlate"

Hope that helps.

View solution in original post

Jennifer Halim · ‎10-14-2010

These 2 lines are incorrect. The access-list are crypto access-list and you shouldn't applied that to the NAT statement.

nat (inside) 0 access-list outside_1_cryptomap_1

nat (inside) 1 access-list outside_20_cryptomap_1

Please removes the 2 NAT statements above, but keep the access-list because those are applied to the crypto map.

Then you would need to configure the following:

access-list nonat extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list nonat extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0

nat (inside) 0 access-list nonat

After the above changes, pls perform "clear xlate"

Hope that helps.

comscaleltd · ‎10-14-2010

Thanks, Jennifer! That worked great.