ASA Tunnel not hitting the correct NAT

that1guy15 · September 23, 2015, 10:02:09 AM

I have been banging my head on this one and cant figure out why the tunnel will not light up. Not even ISAKMP SA...

So I have an existing tunnel in place and need to shift it to a new destination IP and new destination subnets. When I stand up the new tunnel I get nothing. Packet-Tracer shows the old tunnel hits the correct NAT but the new tunnel does not and hits the global default NAT.

These are basic static NAT entries with source and destination hosts. All I did was add the new destination IPs to the ACLs referenced in the NAT statement.

What am I missing here???

Code Select

static (inside,outside) 10.19.176.25  access-list inside_nat_static_20  

access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.119 
access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.110
access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.142 <---this line is what I added

deanwebb · September 23, 2015, 10:07:16 AM

Is that in the same subnet range as .119 and .110?

routerdork · September 23, 2015, 10:19:11 AM

I'm not sure what causes the tunnels to hit the global like this. I'm no ASA expert. But what you need to do is change the NAT order, easiest with ASDM, so that the new one comes up first before the old tunnel. Also this order can affect your crypto maps as well. I kill myself on this constantly.

Edited to contain proper engrish

that1guy15 · September 23, 2015, 10:19:58 AM

On my side they are all setup as host statements with /32

Static routes also point to each host as a /32.

that1guy15 · September 23, 2015, 10:30:23 AM

Shifted the ACE entry to the top and still no dice.

Stupid question, do I need to clear xlate or anything to re-apply the ACL/NAT changes?

deanwebb · September 23, 2015, 11:19:56 AM

Wouldn't hurt to try that.

routerdork · September 23, 2015, 12:08:32 PM

Now that it is higher in the list than the old tunnel does packet tracer show the same results?

that1guy15 · September 23, 2015, 01:24:57 PM

Nope no change. I also did a clear xlate.
The more I work on these ASAs the more I hate them.

routerdork · September 23, 2015, 01:35:28 PM

How about the crypto maps? Is there an entry with a lower number that will match prior to the new tunnel?

that1guy15 · September 23, 2015, 01:42:50 PM

Quote from: routerdork on September 23, 2015, 01:35:28 PM
How about the crypto maps? Is there an entry with a lower number that will match prior to the new tunnel?

There is the original tunnel but the interesting traffic ACL does not match the new destination IPs I added.

deanwebb · September 23, 2015, 01:58:40 PM

Do you have proxy-ids defined for each host, on each end of the tunnel?

that1guy15 · September 23, 2015, 02:11:20 PM

Quote from: deanwebb on September 23, 2015, 01:58:40 PM
Do you have proxy-ids defined for each host, on each end of the tunnel?

Looking at the config I dont think so. No sure what the other end looks like though.

routerdork · September 23, 2015, 02:18:00 PM

Can you paste your packet tracer results? Or the pertinent information to the tunnels?

that1guy15 · September 23, 2015, 02:40:25 PM

Code Select


Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:       
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac456388, priority=12, domain=permit, deny=false
        hits=644099416, user_data=0xac456348, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xac681480, priority=7, domain=conn-set, deny=false
        hits=398409650, user_data=0xb207e4d8, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xadeae910, priority=0, domain=permit-ip-option, deny=true
        hits=738004768, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: IDS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad7fa058, priority=50, domain=ids, deny=false
        hits=644475458, user_data=0xad7f91a0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xadeabc80, priority=20, domain=lu, deny=false
        hits=398705818, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype:      
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (<OUTSIDE IP> - <OUTSIDE IP>)
    translate_hits = 371278761, untranslate_hits = 13163439
Additional Information:
Dynamic translate SERVER-IP/80 to <OUTSIDE IP>/88 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xace6b3a0, priority=1, domain=nat, deny=false
        hits=375332119, user_data=0xace6b300, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (<OUTSIDE IP> - <OUTSIDE IP>)
    translate_hits = 371278774, untranslate_hits = 13163439
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xace6b630, priority=1, domain=host, deny=false
        hits=158172805, user_data=0xace6b300, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xacb91b60, priority=0, domain=permit-ip-option, deny=true
        hits=569718276, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 853760457, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_divert_fragment
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
              
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_divert_fragment
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

that1guy15 · September 23, 2015, 02:41:09 PM

On working tunnels, Phase 8 matches the correct static NAT and then Phase 10 is VPN.

Give me a bit and Ill get config on here too.