ASA Tunnel not hitting the correct NAT

Started by that1guy15, September 23, 2015, 10:02:09 AM

Previous topic - Next topic

that1guy15

I have been banging my head on this one and cant figure out why the tunnel will not light up. Not even ISAKMP SA...

So I have an existing tunnel in place and need to shift it to a new destination IP and new destination subnets. When I stand up the new tunnel I get nothing. Packet-Tracer shows the old tunnel hits the correct NAT but the new tunnel does not and hits the global default NAT.

These are basic static NAT entries with source and destination hosts. All I did was add the new destination IPs to the ACLs referenced in the NAT statement.

What am I missing here???

static (inside,outside) 10.19.176.25  access-list inside_nat_static_20 

access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.119
access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.110
access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.142 <---this line is what I added
That1guy15
@that1guy_15
blog.movingonesandzeros.net

deanwebb

Is that in the same subnet range as .119 and .110?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

#2
I'm not sure what causes the tunnels to hit the global like this. I'm no ASA expert. But what you need to do is change the NAT order, easiest with ASDM, so that the new one comes up first before the old tunnel. Also this order can affect your crypto maps as well. I kill myself on this constantly.


Edited to contain proper engrish
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

that1guy15

On my side they are all setup as host statements with /32

Static routes also point to each host as a /32.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

that1guy15

Shifted the ACE entry to the top and still no dice.

Stupid question, do I need to clear xlate or anything to re-apply the ACL/NAT changes?
That1guy15
@that1guy_15
blog.movingonesandzeros.net

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

routerdork

Now that it is higher in the list than the old tunnel does packet tracer show the same results?
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

that1guy15

Nope no change. I also did a clear xlate.
The more I work on these ASAs the more I hate them.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

routerdork

How about the crypto maps? Is there an entry with a lower number that will match prior to the new tunnel?
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

that1guy15

Quote from: routerdork on September 23, 2015, 01:35:28 PM
How about the crypto maps? Is there an entry with a lower number that will match prior to the new tunnel?
There is the original tunnel but the interesting traffic ACL does not match the new destination IPs I added.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

deanwebb

Do you have proxy-ids defined for each host, on each end of the tunnel?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

that1guy15

Quote from: deanwebb on September 23, 2015, 01:58:40 PM
Do you have proxy-ids defined for each host, on each end of the tunnel?

Looking at the config I dont think so. No sure what the other end looks like though.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

routerdork

Can you paste your packet tracer results? Or the pertinent information to the tunnels?
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

that1guy15


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:       
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac456388, priority=12, domain=permit, deny=false
        hits=644099416, user_data=0xac456348, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xac681480, priority=7, domain=conn-set, deny=false
        hits=398409650, user_data=0xb207e4d8, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xadeae910, priority=0, domain=permit-ip-option, deny=true
        hits=738004768, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xad7fa058, priority=50, domain=ids, deny=false
        hits=644475458, user_data=0xad7f91a0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xadeabc80, priority=20, domain=lu, deny=false
        hits=398705818, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype:     
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (<OUTSIDE IP> - <OUTSIDE IP>)
    translate_hits = 371278761, untranslate_hits = 13163439
Additional Information:
Dynamic translate SERVER-IP/80 to <OUTSIDE IP>/88 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in  id=0xace6b3a0, priority=1, domain=nat, deny=false
        hits=375332119, user_data=0xace6b300, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (<OUTSIDE IP> - <OUTSIDE IP>)
    translate_hits = 371278774, untranslate_hits = 13163439
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xace6b630, priority=1, domain=host, deny=false
        hits=158172805, user_data=0xace6b300, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xacb91b60, priority=0, domain=permit-ip-option, deny=true
        hits=569718276, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 853760457, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_divert_fragment
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
             
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_divert_fragment
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
             
That1guy15
@that1guy_15
blog.movingonesandzeros.net

that1guy15

On working tunnels, Phase  8 matches the correct static NAT and then Phase 10 is VPN.

Give me a bit and Ill get config on here too.
That1guy15
@that1guy_15
blog.movingonesandzeros.net