Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN tunnel with NAT

Hello,

I was tasked with configuring VPN tunnel to the vendor company. I’m using ASA5510 (ver 8.2). The encrypted traffic should be allowed between 3 internal servers on my side (10.1.0.1, 10.1.7.4, 10.1.7.54) and 1 on the vendor side (74.x.x.x). The problem is that I need to NAT my 3 internal IP addresses for that VPN tunnel:

10.1.0.1 NAT'd to 172.17.5.115

10.1.7.4 NAT'd to 172.17.5.116           

10.1.7.54 NAT'd to 172.17.5.117

I’ve done similar configuration on Cisco 3000 VPN concentrator, but never on ASA…  How can I make sure that ASA will “know” that NAT is required just for certain VPN traffic? (i.e. in Cisco concentrator, NAT rules are tunnel specific). I just want to make sure that creating NAT rules for VPN tunnel will not mess up other traffic going in/out the servers.

Here’s the chunk config I want to test… Can you guys advise if this is any good?

Encrypted traffic ACL:

access-list outside_1_cryptomap extended permit ip host 172.17.5.115 74.x.x.x/32

access-list outside_1_cryptomap extended permit ip host 172.17.5.116 74.x.x.x/32

access-list outside_1_cryptomap extended permit ip host 172.17.5.117 74.x.x.x/32

Access list for “static” command to match the VPN traffic for translation:

Access-list policy-nat1 extanded permit ip 10.1.0.1 255.255.255.0 172.17.5.115

Access-list policy-nat2 extanded permit ip 10.1.7.4 255.255.255.0 172.17.5.116

Access-list policy-nat3 extanded permit ip 10.1.7.54 255.255.255.0 172.17.5.117

Static commands:

Static(inside,outside) 172.17.5.115 access-list policy-nat1

Static(inside,outside) 172.17.5.116 access-list policy-nat2

Static(inside,outside) 172.17.5.117 access-list policy-nat3

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN tunnel with NAT

You need change the following

Access-list policy-nat1 extanded permit ip 10.1.0.1 255.255.255.0 172.17.5.115

Access-list policy-nat2 extanded permit ip 10.1.7.4 255.255.255.0 172.17.5.116

Access-list policy-nat3 extanded permit ip 10.1.7.54 255.255.255.0 172.17.5.117

to

Access-list policy-nat1 extanded permit ip host 10.1.0.1 host 74.x.x.x

Access-list policy-nat2 extanded permit ip host 10.1.7.4 host 74.x.x.x

Access-list policy-nat3 extanded permit ip host 10.1.7.54 host 74.x.x.x

4 REPLIES

Re: VPN tunnel with NAT

You need change the following

Access-list policy-nat1 extanded permit ip 10.1.0.1 255.255.255.0 172.17.5.115

Access-list policy-nat2 extanded permit ip 10.1.7.4 255.255.255.0 172.17.5.116

Access-list policy-nat3 extanded permit ip 10.1.7.54 255.255.255.0 172.17.5.117

to

Access-list policy-nat1 extanded permit ip host 10.1.0.1 host 74.x.x.x

Access-list policy-nat2 extanded permit ip host 10.1.7.4 host 74.x.x.x

Access-list policy-nat3 extanded permit ip host 10.1.7.54 host 74.x.x.x

New Member

Re: VPN tunnel with NAT

Thank you Yudong. I'm still trying to get this tunnel up and running, but to no avail. I'm getting the following debug crypto isakmp output:

Oct 06 09:07:34 [IKEv1]: Group = 74.x.x.x, IP = 74.84.223.4, Session is being torn down. Reason: User Requested
Oct 06 09:07:39 [IKEv1]: Group = 74.x.x.x, IP = 74.84.223.4, Removing peer from correlator table failed, no match!
Oct 06 09:07:39 [IKEv1]: Group = 74.x.x.x, IP = 74.84.223.4, Session is being torn down. Reason: User Requested
Oct 06 09:07:44 [IKEv1]: Group = 74.x.x.x, IP = 74.84.223.4, Removing peer from correlator table failed, no match!

Is this my crypto map acl causing this?

access-list outside_1_cryptomap extended permit ip host 172.17.5.115 74.x.x.x/32

access-list outside_1_cryptomap extended permit ip host 172.17.5.116 74.x.x.x/32

access-list outside_1_cryptomap extended permit ip host 172.17.5.117 74.x.x.x/32

thanks

lukasz

PS I just reviewed log files and found the following error:

Group = 74.x.x.x, IP = 74.x.x.x Received non-routine Notify message: No proposal chosen (14)

and result of debug crypto ipsec 25:

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=172.17.5.117:256, Dest=74.x.x.x:256
IPSEC(crypto_map_check)-5: Checking crypto map Out 1: skipping because 5-tuple does not match ACL ipsec.
IPSEC(crypto_map_check)-5: Checking crypto map Out 2: skipping because 5-tuple does not match ACL ipsec2.
IPSEC(crypto_map_check)-5: Checking crypto map Out 3: skipping because 5-tuple does not match ACL outside_3_cryptomap.
IPSEC(crypto_map_check)-5: Checking crypto map Out 4: skipping because 5-tuple does not match ACL outside_4_cryptomap.
IPSEC(crypto_map_check)-5: Checking crypto map Out 5: skipping because 5-tuple does not match ACL outside_5_cryptomap.
IPSEC(crypto_map_check)-3: Checking crypto map Out 6: matched.
IPSEC: New embryonic SA created @ 0xAD72DEC8,
    SCB: 0xAB9FB748,
    Direction: inbound
    SPI      : 0xAB6A05ED
    Session ID: 0x029DA000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds

Re: VPN tunnel with NAT

It looks like it did find a match

IPSEC(crypto_map_check)-3: Checking crypto map Out 6: matched.

Could you please paste 1) full configuration 2) show crypto isa sa and 3) show crypto ipsec sa

New Member

Re: VPN tunnel with NAT

Thank you again Yudong. This issue has been resolved.. It turned out that vendor's engineer mismatched encryption on his side. The tunnel came right up after he made appropriate changes.

6921
Views
0
Helpful
4
Replies
CreatePlease to create content