06-20-2014 08:46 AM
I am stumped and hoping someone can help me. I have created a VPN tunnel that should work to connect a Juniper firewall for VPN connection. Can someone look over this VPN config and let me know if I have something wrong. Not sure if my static NAT is the problem. I have my inside address with a static NAT for the tunnel and the remove Address with a Static Nat also. I have seen hit counters on my acl for trying to ping over but the Juniper is not seeing any of my traffic.
HQ
-NAME- -REAL IN- -NAT TO FOR OUT-
SERVER01 10.30.3.210 172.21.20.210
SERVER01 10.30.3.211 172.21.20.211
REMOTE
-NAME- -REAL OUT- -MY NAT FOR OUT-
SERVER01 172.140.27.97 172.129.10.5
SERVER02 172.140.27.98 172.129.10.6
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key P@SSW)RD01
exit
crypto ikev1 policy 210
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
exit
object-group network INSIDE-SRVS-REAL
network-object host 10.30.3.210
network-object host 10.30.3.211
object-group network INSIDE-SRVS-NAT
network-object host 172.21.20.210
network-object host 172.21.20.211
object-group network REMOTE-SRVS-REAL
network-object host 172.140.27.97
network-object host 172.140.27.98
object-group network REMOTE-SRVS-NAT
network-object host 172.129.10.5
network-object host 172.129.10.6
access-list vpnl2l-CMAP-210 extended permit icmp object-group INSIDE-SRVS-NAT object-group REMOTE-SRVS-REAL
access-list vpnl2l-CMAP-210 extended permit tcp object-group INSIDE-SRVS-NAT object-group REMOTE-SRVS-REAL
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map OUTSIDE-CMAP 210 match address vpnl2l-CMAP-210
crypto map OUTSIDE-CMAP 210 set peer 1.1.1.1
crypto map OUTSIDE-CMAP 210 set ikev1 transform-set ESP-3DES-SHA
crypto map OUTSIDE-CMAP 210 set security-association lifetime seconds 28800
object network INSIDE-SERVER01-INREAL
host 10.30.3.210
object network INSIDE-SERVER01-INMAPPED
host 172.21.20.210
object network INSIDE-SERVER02-INREAL
host 10.30.3.211
object network INSIDE-SERVER-2-INMAPPED
host 172.21.20.211
object network REMOTE-SERVER01-NAT-OUTREAL
host 172.140.27.97
object network REMOTE-SERVER01-NAT-OUTMAPPED
host 172.129.10.5
object network REMOTE-SERVER02-NAT-OUTREAL
host 172.140.27.98
object network REMOTE-SERVER02-NAT-OUTMAPPED
host 172.129.10.6
nat (INSIDE,OUTSIDE) source static INSIDE-SERVER01-INREAL INSIDE-SERVER01-INMAPPED destination static REMOTE-SERVER01-NAT-OUTMAPPED REMOTE-SERVER01-NAT-OUTREAL
nat (INSIDE,OUTSIDE) source static INSIDE-SERVER02-INREAL INSIDE-SERVER-2-INMAPPED destination static REMOTE-SERVER02-NAT-OUTMAPPED REMOTE-SERVER02-NAT-OUTREAL
nat (INSIDE,OUTSIDE) source static INSIDE-SERVER01-INREAL INSIDE-SERVER01-INMAPPED destination static REMOTE-SERVER01-NAT-OUTMAPPED REMOTE-SERVER01-NAT-OUTREAL
nat (INSIDE,OUTSIDE) source static INSIDE-SERVER02-INREAL INSIDE-SERVER-2-INMAPPED destination static REMOTE-SERVER02-NAT-OUTMAPPED REMOTE-SERVER02-NAT-OUTREAL
06-20-2014 10:10 AM
Hi,
I am pretty confused with your statements. How you are planning to do L2L.... Why you want to do nat with real server and NAT IP for the remote infrastructure.... You have to do with NAT on your ASA end..... Why do you do NAT for the remote real server & NAT IP.
Either you can make the rule set for the real ip or the NAT ip....
Please clarify me the same so that we can do something to solve this issue.
HTH
Regards
Karthik
06-20-2014 11:37 AM
What is am trying to accomplish is having 2 network address for L2L VPN tunnel. The outside Vendors usually supply me with their address that is something that I am using on my network. So if I static NAT there address to the 172.129.10.0/24 network scope, for example I can just map their address to the 172.129.10.5 and point my servers to the 172.129.10.5 to get to 172.140.27.97 with is there IP address.
I want to setup a static NAT the inside to an address because in the coming months I will be change the IP scheme of the inside network. If I static NAT my inside address then I can give the vendor the static mapped IP address and when the conversion begins I can just change the firewall inside real address and the vendor does not have to change their rules.
The basic answer is for convenience. We are updating the network with new network equipment and making alot of changes. because of network growth.
Does the tunnel configuration look right?
06-20-2014 08:18 PM
Hi Joshua,
With respect to your VPN configurations below are the additional changes required.
crypto map OUTSIDE-CMAP interface <outside>
crypto ikev1 enable outside
and for the NAT by looking @ your crypto ACL.... You are passing the traffic for the inside NATed IP to the remote side real IP. If you do inside servers alone to NAT would give you the desired result. No need for the remote servers to NAT.....
HTH
Regards
Karthik
06-23-2014 06:28 AM
I need to NAT the remote servers because on the other side of the network we are using that IP address scheme , so I need to have it NATted. Also I am NATing the inside because that inside network IP address will be changing soon. This way I dont have to contact everyone with a tunnel to the network to make changes.
Do I have the NAT right for static NAT to the remote network or do I need to do it differently since the VPN IKE phases are correct?
06-25-2014 05:40 AM
I am running:
debug crypto ipsec
debug crypto isakmp
debug crypto ikev1
I am getting the following messages:
Jun 25 00:34:30 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Jun 25 00:34:30 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Jun 25 00:35:05 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0x00007fff33991e00, mess id 0x80aabb23)!
Jun 25 00:35:05 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Jun 25 00:35:05 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Jun 25 00:35:40 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0x00007fff33991e00, mess id 0xd060fea0)!
Jun 25 00:35:40 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Jun 25 00:35:40 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Does this help at all? I have been trying to look up errors on google with no luck.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide