VPN NAT Problem (Traffic between Internal and VPN fail)

kharvey · ‎08-21-2014

I have been fighting this for a couple of days now, and I just have not been able to figure it out. I am pretty sure that it is a NAT problem, but I'm lost at this point.

I have an internal network (172.23.45.x) and a VPN network (172.23.46.x) and I cannot get traffic to flow between the two. I was able to get NAT working so much that I no longer show errors in the logs about a Reverse Path Failure or a Failed to locate Egress traffic, but I sitll cannot get the two networks to communicate.

Here is my latest config:

Result of the command: "sh run"

: Saved
:
ASA Version 9.0(3)
!
hostname Gustapo
domain-name default.domain.invalid
enable password xxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxx encrypted
names
ip local pool ScopeDHCP 172.23.46.200-172.23.46.205 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif ExtNet
security-level 1
ip address dhcp setroute
!
interface Vlan3
nameif IntNet
security-level 100
ip address 172.23.45.253 255.255.255.0
!
boot system disk0:/asa903-k8.bin
ftp mode passive
dns domain-lookup ExtNet
dns domain-lookup IntNet
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network IntIP
subnet 172.23.45.0 255.255.255.0
description Internal Network
object network VPNIP
subnet 172.23.46.0 255.255.255.0
description VPN Connection
access-list ExtNet_access_in extended permit icmp any4 any4
access-list ExtNet_access_in remark Deny all incoming traffic
access-list ExtNet_access_in extended deny ip any4 any4
access-list IntNet_access_in remark Block PS3 traffic to the Internet
access-list IntNet_access_in extended deny ip host 172.23.45.3 any4
access-list IntNet_access_in extended permit ip any4 any4
access-list nonatacl extended permit ip 172.23.46.0 255.255.255.0 172.23.45.0 255.255.255.0
access-list nonatacl extended permit ip 172.23.45.0 255.255.255.0 172.23.46.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu ExtNet 1500
mtu IntNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (IntNet,ExtNet) source dynamic any interface
nat (ExtNet,ExtNet) source dynamic VPNIP interface
nat (IntNet,any) source static IntIP IntIP destination static VPNIP VPNIP no-proxy-arp
access-group ExtNet_access_in in interface ExtNet
access-group IntNet_access_in in interface IntNet
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 444
http 172.23.45.0 255.255.255.0 IntNet
http redirect IntNet 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 172.23.45.0 255.255.255.0 IntNet
ssh timeout 5
console timeout 0

dhcpd auto_config ExtNet
!
dhcpd address 172.23.45.35-172.23.45.50 IntNet
dhcpd dns 208.67.222.222 208.67.220.220 interface IntNet
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable ExtNet
enable IntNet
anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 1
anyconnect enable
group-policy DfltGrpPolicy attributes
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value default.domain.invalid
address-pools value ScopeDHCP
group-policy AnyConnectAccessPolicy internal
group-policy AnyConnectAccessPolicy attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value default.domain.invalid
address-pools value ScopeDHCP

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

I am using the following to allow my traffic to route from the VPN to the Internet, but I am not sure I should need it if I get NAT working properly.

nat (ExtNet,ExtNet) source dynamic VPNIP interface

I'm not done configuring everything yet, but I would like to get the VPN tunnel up and running.

Any advice or suggestions? I'm pretty much out of ideas.

SANTHOSHKUMAR SARAVANAN · ‎08-21-2014

Hi ,

Apply below commands, it should work for you

no nat (ExtNet,ExtNet) source dynamic VPNIP interface
no nat (IntNet,any) source static IntIP IntIP destination static VPNIP VPNIP no-proxy-arp

nat (IntNet,ExtNet) source static IntIP IntIP destination static VPNIP VPNIP

HTH

Sandy

kharvey · ‎08-22-2014

I inactivated the two old NAT commands and added in your nat command, but it still did not work. But I am still unable to connect from my VPN to internal services (PING or SSH). I am also unable to ping from my Internal to my VPN.

Here is my running config now:

Result of the command: "sh run"

: Saved
:
ASA Version 9.0(3)
!
hostname Gustapo
domain-name default.domain.invalid
enable password xxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxxx encrypted
names
ip local pool ScopeDHCP 172.23.46.200-172.23.46.205 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif ExtNet
security-level 1
ip address dhcp setroute
!
interface Vlan3
nameif IntNet
security-level 100
ip address 172.23.45.253 255.255.255.0
!
boot system disk0:/asa903-k8.bin
ftp mode passive
dns domain-lookup ExtNet
dns domain-lookup IntNet
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network IntIP
subnet 172.23.45.0 255.255.255.0
description Internal Network
object network VPNIP
subnet 172.23.46.0 255.255.255.0
description VPN Connection
access-list ExtNet_access_in extended permit icmp any4 any4
access-list ExtNet_access_in remark Deny all incoming traffic
access-list ExtNet_access_in extended deny ip any4 any4
access-list IntNet_access_in remark Block PS3 traffic to the Internet
access-list IntNet_access_in extended deny ip host 172.23.45.3 any4
access-list IntNet_access_in extended permit ip any4 any4
access-list nonatacl extended permit ip 172.23.46.0 255.255.255.0 172.23.45.0 255.255.255.0
access-list nonatacl extended permit ip 172.23.45.0 255.255.255.0 172.23.46.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu ExtNet 1500
mtu IntNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (IntNet,ExtNet) source dynamic any interface
nat (ExtNet,ExtNet) source dynamic VPNIP interface inactive
nat (IntNet,any) source static IntIP IntIP destination static VPNIP VPNIP no-proxy-arp inactive
nat (IntNet,ExtNet) source static IntIP IntIP destination static VPNIP VPNIP
access-group ExtNet_access_in in interface ExtNet
access-group IntNet_access_in in interface IntNet
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 444
http 172.23.45.0 255.255.255.0 IntNet
http redirect IntNet 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 172.23.45.0 255.255.255.0 IntNet
ssh timeout 5
console timeout 0

dhcpd auto_config ExtNet
!
dhcpd address 172.23.45.35-172.23.45.50 IntNet
dhcpd dns 208.67.222.222 208.67.220.220 interface IntNet
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable ExtNet
enable IntNet
anyconnect image disk0:/anyconnect-linux-3.1.05178-k9.pkg 1
anyconnect enable
group-policy DfltGrpPolicy attributes
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value default.domain.invalid
address-pools value ScopeDHCP
group-policy AnyConnectAccessPolicy internal
group-policy AnyConnectAccessPolicy attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value default.domain.invalid
address-pools value ScopeDHCP
tunnel-group DefaultRAGroup general-attributes
address-pool ScopeDHCP
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ScopeDHCP
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
default-group-policy AnyConnectAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2ecff6c94f746f7254aa4ed3e267758d
: end

SANTHOSHKUMAR SARAVANAN · ‎08-22-2014

Hi ,

Remove following NAT Statement

no nat (ExtNet,ExtNet) source dynamic VPNIP interface
no nat (IntNet,any) source static IntIP IntIP destination static VPNIP VPNIP no-proxy-arp

Final NAT statement should be only two

nat (IntNet,ExtNet) source dynamic any interface ( PAT for internal Network )
nat (IntNet,ExtNet) source static IntIP IntIP destination static VPNIP VPNIP ( No NAT for VPN Subnet )

HTH

Sandy

kharvey · ‎08-22-2014

Nope, still not working. I even did a clear xlate after I changed the NAT.

Current NAT config:

Result of the command: "sh run nat"

nat (IntNet,ExtNet) source dynamic any interface
nat (IntNet,ExtNet) source static IntIP IntIP destination static VPNIP VPNIP