ASA ikev2 VPN s-2-s (PKI) - part three
Today I would like to implement NAT based on the configuration presented in one of my last posts: “ASA ikev2 VPN s-2-s (PKI) - part one”. Assume that LAN networks have the same addresses on both sides:
11.11.11.0/24 10.0.0.0/24 11.11.0.0/24
/----\ .11 .1 ----- .1 .2 ----- .1 .11/----\
| R1 |----------| ASA1 |----------| ASA2 |----------| R2 |
\----/ ----- |.100 ----- \----/
Loop0 /----\ Loop0
11.11.12.12 | R3 | 11.11.12.12
Loop1 \----/ Loop1
11.11.13.13 PKI SERVER 11.11.13.13
Sometimes it happens, for example when two companies merge together. For this post only I simplify the design and instead of the same subnets I have six hosts, where three have the same IPs (represented here as a Loopback interfaces). I will implement NAT on ASA1 and ASA2 per below diagram:
11.11.11.11 <-----> 6.6.6.6 2.2.2.2 <-----> 11.11.11.11
11.11.12.12 <-----> 7.7.7.7 3.3.3.3 <-----> 11.11.12.12
11.11.13.13 <-----> 8.8.8.8 4.4.4.4 <-----> 11.11.13.13
NAT on ASA1 NAT on ASA2
------------ ------------
| ASA1 |-------------| ASA2 |
------------ ------------
Now, when host 11.11.11.11 (on the left) wants to communicate with 11.11.11.11 (on the right) (R1–>R2),it has to use IP of 2.2.2.2 as a destination IP and the source of the packet will be 6.6.6.6. When we initiate traffic from right to left (R2–>R1), R2 has to use 6.6.6.6 as a destination IP, and the source IP of this traffic will be 2.2.2.2.
Let’s implement the first pair 11.11.11.11 (left) - 11.11.11.11 (right):
ASA1:
object-group network LEFT-11.11.11.11
network-object host 11.11.11.11
object-group network NAT-6.6.6.6
network-object host 6.6.6.6
nat (inside,outside) source static LEFT-11.11.11.11 NAT-6.6.6.6
We have to change ASA1’s ACL:
access-list VPN extended permit ip host 11.11.11.11 host 2.2.2.2
now we have to do the same on ASA2:
object-group network RIGHT-11.11.11.11
network-object host 11.11.11.11
object-group network NAT-2.2.2.2
network-object host 2.2.2.2
nat (inside,outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2
and new ASA2’s ACL entry:
access-list VPN extended permit ip host 11.11.11.11 host 6.6.6.6
While implementing NAT do not forget about routing !
R2:
r2(config)#ip route 0.0.0.0 0.0.0.0 11.11.11.1
r2(config)#no ip route 0.0.0.0 0.0.0.0 20.0.0.2
ASA1:
asa1(config)# no route outside 20.0.0.0 255.255.0.0 10.0.0.2 1
asa1(config)# route outside 2.2.2.2 255.255.255.255 10.0.0.2
ASA2:
asa2(config)# no route outside 11.11.0.0 255.255.0.0 10.0.0.1 1
asa2(config)# no route inside 20.0.0.0 255.255.0.0 20.0.0.1 1
asa2(config)#
asa2(config)# route inside 11.11.0.0 255.255.0.0 11.11.11.11
asa2(config)# route outside 6.6.6.6 255.255.255.255 10.0.0.1
Let’s test the tunnel:
r1#ping 2.2.2.2 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)
r1#
As we see above the tunnel didn’t come up, let’s check ASA.
- does NAT work fine?
asa1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static LEFT-11.11.11.11 NAT-6.6.6.6
translate_hits = 3, untranslate_hits = 0
asa1#
asa1# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static LEFT-11.11.11.11 NAT-6.6.6.6
translate_hits = 3, untranslate_hits = 0
Source - Origin: 11.11.11.11/32, Translated: 6.6.6.6/32
asa1#
As we see above NAT is working fine on ASA1
asa2# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2
translate_hits = 0, untranslate_hits = 5
asa2# sh nat d
asa2# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2
translate_hits = 0, untranslate_hits = 5
Source - Origin: 11.11.11.11/32, Translated: 2.2.2.2/32
asa2#
On ASA2 the traffic is not translated.
- check if ACL matches the traffic on both ASAs?
As you remember the ACLs on both ASAs should match, now my ACLs:
asa1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list VPN; 1 elements; name hash: 0x7edb8801
access-list VPN line 1 extended permit ip host 11.11.11.11 host 2.2.2.2 (hitcnt=0) 0xa8621235
asa1#
asa2# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list VPN; 1 elements; name hash: 0x7edb8801
access-list VPN line 1 extended permit ip host 11.11.11.11 host 6.6.6.6 (hitcnt=0) 0x5169389c
asa2#
As we see my ACs don’t match and this is a reason why the traffic can’t bring up the VPN tunnel. In version 8.3+ Cisco introduce one major change and for ACL you have to use ‘real’ IP address, not ‘nat-ed’. The current solution is correct with this rule but my ACLs don’t match. Let’s try to use NAT-ed IP in my ACL “VPN”.
ASA1:
asa1(config)# access-list VPN extended permit ip host 6.6.6.6 host 2.2.2.2
ASA2:
asa2(config)# access-list VPN extended permit ip host 2.2.2.2 host 6.6.6.6
and let’s test it again:
r1#ping 2.2.2.2 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/71/92 ms
r1#
It works !!!
ASA1:
asa1# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
235521139 10.0.0.1/500 10.0.0.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/124 sec
Child sa: local selector 6.6.6.6/0 - 6.6.6.6/65535
remote selector 2.2.2.2/0 - 2.2.2.2/65535
ESP spi in/out: 0x56ad69da/0x261d1433
asa1#
asa1# sh crypto ikev2 sa detail
IKEv2 SAs:
Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
235521139 10.0.0.1/500 10.0.0.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/152 sec
Session-id: 18
Status Description: Negotiation done
Local spi: CBBB421957EA5272 Remote spi: 23F1298489CC0CE0
Local id: hostname=asa1.test.com
Remote id: hostname=asa2.test.com
Local req mess id: 7 Remote req mess id: 5
Local next mess id: 7 Remote next mess id: 5
Local req queued: 7 Remote req queued: 5
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 6.6.6.6/0 - 6.6.6.6/65535
remote selector 2.2.2.2/0 - 2.2.2.2/65535
ESP spi in/out: 0x56ad69da/0x261d1433
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa1#
asa1# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.1
access-list VPN extended permit ip host 6.6.6.6 host 2.2.2.2
local ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer: 10.0.0.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.1/500, remote crypto endpt.: 10.0.0.2/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 261D1433
current inbound spi : 56AD69DA
inbound esp sas:
spi: 0x56AD69DA (1454205402)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4239359/28610)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x261D1433 (639439923)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 73728, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3916799/28610)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa1#
and ASA2:
asa2# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
237464427 10.0.0.2/500 10.0.0.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/120 sec
Child sa: local selector 2.2.2.2/0 - 2.2.2.2/65535
remote selector 6.6.6.6/0 - 6.6.6.6/65535
ESP spi in/out: 0x261d1433/0x56ad69da
asa2#
asa2# sh crypto ikev2 sa detail
IKEv2 SAs:
Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
237464427 10.0.0.2/500 10.0.0.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/291 sec
Session-id: 18
Status Description: Negotiation done
Local spi: 23F1298489CC0CE0 Remote spi: CBBB421957EA5272
Local id: hostname=asa2.test.com
Remote id: hostname=asa1.test.com
Local req mess id: 12 Remote req mess id: 14
Local next mess id: 12 Remote next mess id: 14
Local req queued: 12 Remote req queued: 14
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 2.2.2.2/0 - 2.2.2.2/65535
remote selector 6.6.6.6/0 - 6.6.6.6/65535
ESP spi in/out: 0x261d1433/0x56ad69da
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa2#
asa2# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2
access-list VPN extended permit ip host 2.2.2.2 host 6.6.6.6
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
current_peer: 10.0.0.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 56AD69DA
current inbound spi : 261D1433
inbound esp sas:
spi: 0x261D1433 (639439923)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 114688, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4193279/28480)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x56AD69DA (1454205402)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 114688, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4055039/28480)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa2#
The tunnel is working fine. It seems to be kind of exception from the rule for VPN’s ACLs and we can use NAT-ed IP instead of ‘real’ ones.
1
Kudos
1
Kudos