10-14-2010 04:20 AM
We have an ASA5510 which has two LAN to LAN IPSEC VPNs configured. The VPN tunnels themselves are up and one VPN works great. But the other VPN doesn't correctly NAT outbound traffic (inbound is fine from all VPN endpoints). When I ping from the ASA using 'ping inside 10.200.4.x', it works. When I ping from a box sitting on the inside subnet I get the following error in the ASA logs:
portmap translation creation failed for udp src inside:10.26.32.2/137 dst outside:10.200.4.x/137
I would be really grateful if someone could point out what I have done wrong with the NAT or routing configuration. This is the first time I have setup two L2L VPNs on one ASA. The relevant parts of the config are below, suitably anonymised.
Edit: I forgot to mention that once this is working I then need to NAT incoming traffic to web.server.public.ip to 10.26.32.2 and add ACL entries for www and https.
Thanks,
Matt.
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.2.3.33 255.255.255.248
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.26.32.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.61.1 255.255.255.0
management-only
!
access-list outside_1_cryptomap_1 extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list outside_20_cryptomap_1 extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0
icmp permit any inside
arp timeout 14400
nat (inside) 0 access-list outside_1_cryptomap_1
nat (inside) 1 access-list outside_20_cryptomap_1
nat (inside) 2 0.0.0.0 0.0.0.0
route outside 10.200.4.0 255.255.255.0 broken.vpn.endpoint.ip 1
route outside 0.0.0.0 0.0.0.0 gateway.ip.address.here 1
route outside 192.168.0.0 255.255.0.0 working.vpn.endpoint.ip 1
aaa authentication ssh console LOCAL
http 192.168.61.0 255.255.255.0 management
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-SHA-256 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer working.vpn.endpoint.ip
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_20_cryptomap_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer broken.vpn.endpoint.ip
crypto map outside_map 20 set transform-set ESP-SHA-256
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
isakmp nat-traversal 20
tunnel-group working.vpn.endpoint.ip type ipsec-l2l
tunnel-group working.vpn.endpoint.ip ipsec-attributes
pre-shared-key *
tunnel-group broken.vpn.endpoint.ip type ipsec-l2l
tunnel-group broken.vpn.endpoint.ip ipsec-attributes
pre-shared-key *
telnet timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.61.2-192.168.61.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Solved! Go to Solution.
10-14-2010 04:37 AM
These 2 lines are incorrect. The access-list are crypto access-list and you shouldn't applied that to the NAT statement.
nat (inside) 0 access-list outside_1_cryptomap_1
nat (inside) 1 access-list outside_20_cryptomap_1
Please removes the 2 NAT statements above, but keep the access-list because those are applied to the crypto map.
Then you would need to configure the following:
access-list nonat extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list nonat extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0
nat (inside) 0 access-list nonat
After the above changes, pls perform "clear xlate"
Hope that helps.
10-14-2010 04:37 AM
These 2 lines are incorrect. The access-list are crypto access-list and you shouldn't applied that to the NAT statement.
nat (inside) 0 access-list outside_1_cryptomap_1
nat (inside) 1 access-list outside_20_cryptomap_1
Please removes the 2 NAT statements above, but keep the access-list because those are applied to the crypto map.
Then you would need to configure the following:
access-list nonat extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list nonat extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0
nat (inside) 0 access-list nonat
After the above changes, pls perform "clear xlate"
Hope that helps.
10-14-2010 05:29 AM
Thanks, Jennifer! That worked great.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide