Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
5
Replies

VPN L2L Connection 5525 to Juniper

Joshua Maurer
Level 1
Level 1

‎06-20-2014 08:46 AM

I am stumped and hoping someone can help me. I have created a VPN tunnel that should work to connect a Juniper firewall for VPN connection. Can someone look over this VPN config and let me know if I have something wrong. Not  sure if my static NAT is the problem. I have my inside address with a static NAT for the tunnel and the  remove Address with a Static Nat also. I have seen hit counters on my acl for trying to ping over but the Juniper is not seeing any of my traffic.

 

HQ

-NAME-             -REAL IN-          -NAT TO FOR OUT-

SERVER01      10.30.3.210      172.21.20.210

SERVER01      10.30.3.211      172.21.20.211

 

REMOTE

-NAME-               -REAL OUT-       -MY NAT FOR OUT-

SERVER01       172.140.27.97    172.129.10.5

SERVER02        172.140.27.98   172.129.10.6

 

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key P@SSW)RD01
exit

crypto ikev1 policy 210
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800 
exit

 

object-group network INSIDE-SRVS-REAL
 network-object host 10.30.3.210
 network-object host 10.30.3.211
 
object-group network INSIDE-SRVS-NAT
 network-object host 172.21.20.210
 network-object host 172.21.20.211
 
object-group network REMOTE-SRVS-REAL
 network-object host 172.140.27.97
 network-object host 172.140.27.98
 
object-group network REMOTE-SRVS-NAT
 network-object host 172.129.10.5
 network-object host 172.129.10.6

 

access-list vpnl2l-CMAP-210 extended permit icmp object-group INSIDE-SRVS-NAT object-group REMOTE-SRVS-REAL
access-list vpnl2l-CMAP-210 extended permit tcp object-group INSIDE-SRVS-NAT object-group REMOTE-SRVS-REAL

 

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map OUTSIDE-CMAP 210 match address vpnl2l-CMAP-210
crypto map OUTSIDE-CMAP 210 set peer 1.1.1.1
crypto map OUTSIDE-CMAP 210 set ikev1 transform-set ESP-3DES-SHA
crypto map OUTSIDE-CMAP 210 set security-association lifetime seconds 28800

 

object network INSIDE-SERVER01-INREAL
 host 10.30.3.210
object network INSIDE-SERVER01-INMAPPED
 host 172.21.20.210

 

object network INSIDE-SERVER02-INREAL
 host 10.30.3.211
object network INSIDE-SERVER-2-INMAPPED
 host 172.21.20.211

 

object network REMOTE-SERVER01-NAT-OUTREAL
 host 172.140.27.97
object network REMOTE-SERVER01-NAT-OUTMAPPED
 host 172.129.10.5

 

object network REMOTE-SERVER02-NAT-OUTREAL
 host 172.140.27.98
object network REMOTE-SERVER02-NAT-OUTMAPPED
 host 172.129.10.6

 

nat (INSIDE,OUTSIDE) source static INSIDE-SERVER01-INREAL INSIDE-SERVER01-INMAPPED destination static REMOTE-SERVER01-NAT-OUTMAPPED REMOTE-SERVER01-NAT-OUTREAL
nat (INSIDE,OUTSIDE) source static INSIDE-SERVER02-INREAL INSIDE-SERVER-2-INMAPPED destination static REMOTE-SERVER02-NAT-OUTMAPPED REMOTE-SERVER02-NAT-OUTREAL
nat (INSIDE,OUTSIDE) source static INSIDE-SERVER01-INREAL INSIDE-SERVER01-INMAPPED destination static REMOTE-SERVER01-NAT-OUTMAPPED REMOTE-SERVER01-NAT-OUTREAL
nat (INSIDE,OUTSIDE) source static INSIDE-SERVER02-INREAL INSIDE-SERVER-2-INMAPPED destination static REMOTE-SERVER02-NAT-OUTMAPPED REMOTE-SERVER02-NAT-OUTREAL

 

 

 

 

 

 

 

 

 

 

Labels:
0 Helpful
5 Replies 5

nkarthikeyan
Level 7
Level 7

‎06-20-2014 10:10 AM

Hi,

 

I am pretty confused with your statements. How you are planning to do L2L.... Why you want to do nat with real server and NAT IP for the remote infrastructure.... You have to do with NAT on your ASA end..... Why do you do NAT for the remote real server & NAT IP.

Either you can make the rule set for the real ip or the NAT ip....

 

Please clarify me the same so that we can do something to solve this issue.

 

HTH

 

Regards

Karthik

0 Helpful

Joshua Maurer
Level 1
Level 1
In response to nkarthikeyan

‎06-20-2014 11:37 AM

What is am trying to accomplish is having 2 network address for L2L VPN tunnel. The outside Vendors usually supply me with their address that is something that I am using on my network. So if I static NAT there address to the 172.129.10.0/24 network scope, for example I can just map their address to the 172.129.10.5 and point my servers to the 172.129.10.5 to get to 172.140.27.97 with is there IP address.

 

I want to setup a static NAT the inside to an address because in the coming months I will be change the IP scheme of the inside network. If I static NAT my inside address then I can give the vendor the static mapped IP address and when the conversion begins I can just change the firewall inside real address and the vendor does not have to change their rules.

 

The basic answer is for convenience. We are updating the network with new network equipment and making alot of changes. because of network growth.

 

Does the tunnel configuration look right?

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Joshua Maurer

‎06-20-2014 08:18 PM

Hi Joshua,

 

With respect to your VPN configurations below are the additional changes required.

crypto map OUTSIDE-CMAP interface <outside>

crypto ikev1 enable outside

 

and for the NAT by looking @ your crypto ACL.... You are passing the traffic for the inside NATed IP to the remote side real IP. If you do inside servers alone to NAT would give you the desired result. No need for the remote servers to NAT.....

 

HTH

Regards

Karthik

0 Helpful

Joshua Maurer
Level 1
Level 1
In response to nkarthikeyan

‎06-23-2014 06:28 AM

 

I need to NAT the remote servers because on the other side of the network we are using that IP address scheme , so I need to have it NATted. Also I am NATing the inside because  that inside network IP address will be changing soon. This way I dont have to contact everyone  with a tunnel to the network to make changes.

 

Do I have the NAT right for static NAT to the  remote  network or do I need  to do it differently since the VPN IKE phases are correct?

 

 

0 Helpful

Joshua Maurer
Level 1
Level 1
In response to nkarthikeyan

‎06-25-2014 05:40 AM

I am running:

debug crypto ipsec
debug crypto isakmp
debug crypto ikev1

 

I am getting the following messages:

Jun 25 00:34:30 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Jun 25 00:34:30 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Jun 25 00:35:05 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0x00007fff33991e00, mess id 0x80aabb23)!
Jun 25 00:35:05 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Jun 25 00:35:05 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Jun 25 00:35:40 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0x00007fff33991e00, mess id 0xd060fea0)!
Jun 25 00:35:40 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Jun 25 00:35:40 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service

 

 

Does this help at all? I have been trying to look up errors on google with no luck.

 

 

0 Helpful
Customers Also Viewed These Support Documents