Thursday, May 15, 2014

ASA ikev2 VPN s-2-s (PKI) - part three

Today I would like to implement NAT based on the configuration presented in one of my last posts: “ASA ikev2 VPN s-2-s (PKI) - part one”. Assume that LAN networks have the same addresses on both sides:

       11.11.11.0/24      10.0.0.0/24       11.11.0.0/24

  /----\ .11     .1 -----  .1      .2 -----  .1      .11/----\
 |  R1  |----------| ASA1 |----------| ASA2 |----------|  R2  |
  \----/            -----      |.100  -----             \----/
  Loop0                     /----\                       Loop0
11.11.12.12                |  R3  |                     11.11.12.12
  Loop1                     \----/                       Loop1
11.11.13.13               PKI SERVER                    11.11.13.13

Sometimes it happens, for example when two companies merge together. For this post only I simplify the design and instead of the same subnets I have six hosts, where three have the same IPs (represented here as a Loopback interfaces). I will implement NAT on ASA1 and ASA2 per below diagram:

     11.11.11.11 <-----> 6.6.6.6    2.2.2.2 <-----> 11.11.11.11
     11.11.12.12 <-----> 7.7.7.7    3.3.3.3 <-----> 11.11.12.12
     11.11.13.13 <-----> 8.8.8.8    4.4.4.4 <-----> 11.11.13.13

                NAT on ASA1                NAT on ASA2
               ------------               ------------
              |    ASA1    |-------------|    ASA2    |
               ------------               ------------

Now, when host 11.11.11.11 (on the left) wants to communicate with 11.11.11.11 (on the right) (R1–>R2),it has to use IP of 2.2.2.2 as a destination IP and the source of the packet will be 6.6.6.6. When we initiate traffic from right to left (R2–>R1), R2 has to use 6.6.6.6 as a destination IP, and the source IP of this traffic will be 2.2.2.2.

Let’s implement the first pair 11.11.11.11 (left) - 11.11.11.11 (right):


ASA1:

object-group network LEFT-11.11.11.11
 network-object host 11.11.11.11

object-group network NAT-6.6.6.6
 network-object host 6.6.6.6

nat (inside,outside) source static LEFT-11.11.11.11 NAT-6.6.6.6

We have to change ASA1’s ACL:

access-list VPN extended permit ip host 11.11.11.11 host 2.2.2.2

now we have to do the same on ASA2:

object-group network RIGHT-11.11.11.11
 network-object host 11.11.11.11

object-group network NAT-2.2.2.2
 network-object host 2.2.2.2

nat (inside,outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2

and new ASA2’s ACL entry:

access-list VPN extended permit ip host 11.11.11.11 host 6.6.6.6 

While implementing NAT do not forget about routing !

R2:

r2(config)#ip route 0.0.0.0 0.0.0.0 11.11.11.1
r2(config)#no ip route 0.0.0.0 0.0.0.0 20.0.0.2

ASA1:

asa1(config)# no route outside 20.0.0.0 255.255.0.0 10.0.0.2 1
asa1(config)# route outside 2.2.2.2 255.255.255.255 10.0.0.2

ASA2:

asa2(config)# no route outside 11.11.0.0 255.255.0.0 10.0.0.1 1
asa2(config)# no route inside 20.0.0.0 255.255.0.0 20.0.0.1 1
asa2(config)# 
asa2(config)# route inside 11.11.0.0 255.255.0.0 11.11.11.11
asa2(config)# route outside 6.6.6.6 255.255.255.255 10.0.0.1

Let’s test the tunnel:

r1#ping 2.2.2.2 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)
r1#

As we see above the tunnel didn’t come up, let’s check ASA.

  • does NAT work fine?
asa1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static LEFT-11.11.11.11 NAT-6.6.6.6
    translate_hits = 3, untranslate_hits = 0
asa1# 

asa1# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static LEFT-11.11.11.11 NAT-6.6.6.6
    translate_hits = 3, untranslate_hits = 0
    Source - Origin: 11.11.11.11/32, Translated: 6.6.6.6/32
asa1#

As we see above NAT is working fine on ASA1

asa2# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2
    translate_hits = 0, untranslate_hits = 5
asa2# sh nat d
asa2# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2
    translate_hits = 0, untranslate_hits = 5
    Source - Origin: 11.11.11.11/32, Translated: 2.2.2.2/32
asa2#

On ASA2 the traffic is not translated.
  • check if ACL matches the traffic on both ASAs?
As you remember the ACLs on both ASAs should match, now my ACLs:
 
asa1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list VPN; 1 elements; name hash: 0x7edb8801
access-list VPN line 1 extended permit ip host 11.11.11.11 host 2.2.2.2 (hitcnt=0) 0xa8621235
asa1#

asa2# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list VPN; 1 elements; name hash: 0x7edb8801
access-list VPN line 1 extended permit ip host 11.11.11.11 host 6.6.6.6 (hitcnt=0) 0x5169389c
asa2#

As we see my ACs don’t match and this is a reason why the traffic can’t bring up the VPN tunnel. In version 8.3+ Cisco introduce one major change and for ACL you have to use ‘real’ IP address, not ‘nat-ed’. The current solution is correct with this rule but my ACLs don’t match. Let’s try to use NAT-ed IP in my ACL “VPN”.

ASA1:

asa1(config)# access-list VPN extended permit ip host 6.6.6.6 host 2.2.2.2

ASA2:

asa2(config)# access-list VPN extended permit ip host 2.2.2.2 host 6.6.6.6

and let’s test it again:

r1#ping 2.2.2.2 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/71/92 ms
r1#

It works !!!

ASA1:


asa1# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
235521139          10.0.0.1/500          10.0.0.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/124 sec
Child sa: local selector  6.6.6.6/0 - 6.6.6.6/65535
          remote selector 2.2.2.2/0 - 2.2.2.2/65535
          ESP spi in/out: 0x56ad69da/0x261d1433
asa1#

asa1# sh crypto ikev2 sa detail

IKEv2 SAs:

Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
235521139          10.0.0.1/500          10.0.0.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/152 sec
      Session-id: 18
      Status Description: Negotiation done
      Local spi: CBBB421957EA5272       Remote spi: 23F1298489CC0CE0
      Local id: hostname=asa1.test.com
      Remote id: hostname=asa2.test.com
      Local req mess id: 7              Remote req mess id: 5
      Local next mess id: 7             Remote next mess id: 5
      Local req queued: 7               Remote req queued: 5
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector  6.6.6.6/0 - 6.6.6.6/65535
          remote selector 2.2.2.2/0 - 2.2.2.2/65535
          ESP spi in/out: 0x56ad69da/0x261d1433
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa1#

 
asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.1

      access-list VPN extended permit ip host 6.6.6.6 host 2.2.2.2
      local ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
      current_peer: 10.0.0.2

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/500, remote crypto endpt.: 10.0.0.2/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 261D1433
      current inbound spi : 56AD69DA

    inbound esp sas:
      spi: 0x56AD69DA (1454205402)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 73728, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4239359/28610)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x261D1433 (639439923)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 73728, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3916799/28610)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa1#

and ASA2:

asa2# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
237464427          10.0.0.2/500          10.0.0.1/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/120 sec
Child sa: local selector  2.2.2.2/0 - 2.2.2.2/65535
          remote selector 6.6.6.6/0 - 6.6.6.6/65535
          ESP spi in/out: 0x261d1433/0x56ad69da
asa2#

 
asa2# sh crypto ikev2 sa detail

IKEv2 SAs:

Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
237464427          10.0.0.2/500          10.0.0.1/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/291 sec
      Session-id: 18
      Status Description: Negotiation done
      Local spi: 23F1298489CC0CE0       Remote spi: CBBB421957EA5272
      Local id: hostname=asa2.test.com
      Remote id: hostname=asa1.test.com
      Local req mess id: 12             Remote req mess id: 14
      Local next mess id: 12            Remote next mess id: 14
      Local req queued: 12              Remote req queued: 14
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector  2.2.2.2/0 - 2.2.2.2/65535
          remote selector 6.6.6.6/0 - 6.6.6.6/65535
          ESP spi in/out: 0x261d1433/0x56ad69da
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa2#

 
asa2# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2

      access-list VPN extended permit ip host 2.2.2.2 host 6.6.6.6
      local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
      current_peer: 10.0.0.1

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 56AD69DA
      current inbound spi : 261D1433

    inbound esp sas:
      spi: 0x261D1433 (639439923)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 114688, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4193279/28480)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x56AD69DA (1454205402)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 114688, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4055039/28480)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa2#

The tunnel is working fine. It seems to be kind of exception from the rule for VPN’s ACLs and we can use NAT-ed IP instead of ‘real’ ones.

No comments:

Post a Comment