Solved: vpn nat issue.

WStoffel1 · ‎11-22-2013

Trying to track down what happened. I had the remote end bring up the tunnel, as they can ping resources on my side. I'm unable to ping 10.90.238.148 through this tunnel. I used to be able to before the K_Inc interface was added. The network behind that interface is 10/8.

I posed a question earlier in another post and was advised to Set Reverse-route in the crypto. And that did it. I was able to ping 10.90.238.148 from 192.168.141.10, with the below config.

I'm at a loss for why I suddenly can't. A little background, the routes included below haven't changed. By adding the set reverse route command to the crypto I end up with a static entry for the 10.90.238.0 network is what fixed it intially so I don't think it's a route problem. The remote end had an overlap with the 192.168.141.0/24 which is why my side is natted to the 10.40.27.0. None of the nats have changed so if adding the reverse route worked for a day, it should still be working. Any thoughts?

interface GigabitEthernet0/3.10

vlan 10

nameif K_Inc

security-level 100

ip address 192.168.10.254 255.255.255.0

interface GigabitEthernet0/3.141

vlan 141

nameif cold

security-level 100

ip address 192.168.141.254 255.255.255.0

nat (cold) 0 access-list nonat

nat (cold) 1 192.168.141.0 255.255.255.0

access-list CSVPNOFFSITE extended permit ip 192.168.141.0 255.255.255.0 10.90.238.0 255.255.255.0

access-list CSVPNOFFSITE extended permit ip 10.40.27.0 255.255.255.0 10.90.238.0 255.255.255.0

access-list CSVPNNAT extended permit ip 192.168.141.0 255.255.255.0 10.90.238.0 255.255.255.0

access-list nonat extended permit ip 10.40.27.0 255.255.255.0 10.90.238.0 255.255.255.0

static (cold,outside) 10.40.27.0 access-list CSVPNNAT

crypto map Outside_map 5 match address CSVPNOFFSITE

crypto map Outside_map 5 set reverse-route

crypto map Outside_map 5 set pfs

crypto map Outside_map 5 set peer 20.x.x.3

crypto map Outside_map 5 set transform-set ESP-3DES-MD5

crypto map Outside_map 5 set security-association lifetime seconds 28800

crypto map Outside_map 5 set security-association lifetime kilobytes 4608000

tunnel-group 20.x.x.3 type ipsec-l2l

tunnel-group 20.x.x.3 ipsec-attributes

pre-shared-key *

route outside 0.0.0.0 0.0.0.0 7.x.x.1 1

route K_Inc 10.0.0.0 255.192.0.0 192.168.10.252 1

route K_Inc 10.64.0.0 255.224.0.0 192.168.10.252 1

route K_Inc 10.100.100.0 255.255.255.0 192.168.10.252 1

route K_Inc 10.128.0.0 255.128.0.0 192.168.10.252 1

Tunnel is up:

14 IKE Peer: 20.x.x.243

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

EDIT:

I just noticed when i run packet tracer I don't get a VPN or Encrypt phase:

packet-tracer input cold tcp 192.168.141.10 80 10.90.238.148 80 det

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.90.238.0 255.255.255.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad048d08, priority=0, domain=permit-ip-option, deny=true

hits=2954624, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xb2ed4b80, priority=72, domain=qos-per-class, deny=false

hits=2954687, user_data=0xb2ed49d8, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad090180, priority=20, domain=lu, deny=false

hits=618776, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (ColdSpring,outside) 74.x.x.50 192.168.141.10 netmask 255.255.255.255

match ip ColdSpring host 192.168.141.10 outside any

static translation to 74.x.x.50

translate_hits = 610710, untranslate_hits = 188039

Additional Information:

Static translate 192.168.141.10/0 to 74.112.122.50/0 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in id=0xac541e50, priority=5, domain=nat, deny=false

hits=610742, user_data=0xac541c08, cs_id=0x0, flags=0x0, protocol=0

src ip=192.168.141.10, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (ColdSpring,dmz) 192.168.141.0 192.168.141.0 netmask 255.255.255.0

match ip ColdSpring 192.168.141.0 255.255.255.0 dmz any

static translation to 192.168.141.0

translate_hits = 4194, untranslate_hits = 20032

Additional Information:

Forward Flow based lookup yields rule:

in id=0xace2c1a0, priority=5, domain=host, deny=false

hits=2954683, user_data=0xace2ce68, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.141.0, mask=255.255.255.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xaacbcb90, priority=0, domain=permit-ip-option, deny=true

hits=282827537, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xb2ed5c78, priority=72, domain=qos-per-class, deny=false

hits=4749562, user_data=0xb2ed5ad0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 339487904, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 7.x.x.1 using egress ifc outside

adjacency Active

next-hop mac address 0007.b400.1402 hits 51982146

Result:

input-interface: Cold

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Marius Gunnerud · ‎11-23-2013

What version ASA are you running?

My initial guess is that the your two static NATs are configured above the policy nat you have configured for the VPN? If this is the case, move your policy NAT above those static NATs and you should see the traffic start to flow correctly.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

WStoffel1 · ‎11-22-2013

One more edit, when i run packet tracer using my natted address as the source, i get the expected result. Makes me think i have a nat problem I'm not seeing:

packet-tracer input cold tcp 10.40.27.10 80 10.90.238.148 8443

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.90.238.0 255.255.255.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip Cold 10.40.27.0 255.255.255.0 outside 10.90.238.0 255.255.255.0

NAT exempt

translate_hits = 4, untranslate_hits = 0

Additional Information:

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: QOS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 339954332, packet dispatched to next module

Result:

input-interface: Cold

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

So in this one, the flow is created in phase11 and the packet is allowed. In the previous one, the packet is till allowed but the difference after the flow creation is it's hitting my next hop router. Which it shouldn't. This is telling me in the first capture I'm being sent out my default gateway, instead of the tunnel. I just can't see why.

Any help is appreciated. Thank you!

WStoffel1 · ‎11-23-2013

So this question cannot be answered based on the info i gave, which i thought included everything needed. It does not. Due to the nature of my business I'm unable to always post the whole config

but heres whats missing, my static nats:

static (ColdSpring,outside) 7.x.x.48 192.168.141.11 netmask 255.255.255.255

static (ColdSpring,outside) 7.x.x.50 192.168.141.10 netmask 255.255.255.255

When i packet trace from 192.168.141.10-11, I'm not natted to the 10.40.27.0 addressing, and it's not sent over the tunnel.

Any other address on 192.168.141.x works as expected.

i need those 2 translations. how do i exempt those internal addresses?

Marius Gunnerud · ‎11-23-2013

What version ASA are you running?

My initial guess is that the your two static NATs are configured above the policy nat you have configured for the VPN? If this is the case, move your policy NAT above those static NATs and you should see the traffic start to flow correctly.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

WStoffel1 · ‎11-23-2013

8.04

Nailed it!

Anand Solgama · ‎11-23-2013


static (ColdSpring,outside) 7.x.x.48 192.168.141.11 netmask 255.255.255.255
static (ColdSpring,outside) 7.x.x.50 192.168.141.10 netmask 255.255.255.255
When i packet trace from  192.168.141.10-11, I'm not natted to the 10.40.27.0 addressing, and it's not sent over the tunnel.

bro in this bold line u mentioned 10.40.27.0 but that is for whole network but here u will translate to something

7.X.X.48 ... so it will traslate to that address and

yes u didnt use GLOBAL(outside) command for NAT in ur earlier config ....but that is important if u r using RANGE of NAT/PAT not for static NAT

Bye,