Skip to main content

ASA ikev2 VPN s-2-s (PKI) - part three

Today I would like to implement NAT based on the configuration presented in one of my last posts: “ASA ikev2 VPN s-2-s (PKI) - part one”. Assume that LAN networks have the same addresses on both sides:

       11.11.11.0/24      10.0.0.0/24       11.11.0.0/24

  /----\ .11     .1 -----  .1      .2 -----  .1      .11/----\
 |  R1  |----------| ASA1 |----------| ASA2 |----------|  R2  |
  \----/            -----      |.100  -----             \----/
  Loop0                     /----\                       Loop0
11.11.12.12                |  R3  |                     11.11.12.12
  Loop1                     \----/                       Loop1
11.11.13.13               PKI SERVER                    11.11.13.13

Sometimes it happens, for example when two companies merge together. For this post only I simplify the design and instead of the same subnets I have six hosts, where three have the same IPs (represented here as a Loopback interfaces). I will implement NAT on ASA1 and ASA2 per below diagram:

     11.11.11.11 <-----> 6.6.6.6    2.2.2.2 <-----> 11.11.11.11
     11.11.12.12 <-----> 7.7.7.7    3.3.3.3 <-----> 11.11.12.12
     11.11.13.13 <-----> 8.8.8.8    4.4.4.4 <-----> 11.11.13.13

                NAT on ASA1                NAT on ASA2
               ------------               ------------
              |    ASA1    |-------------|    ASA2    |
               ------------               ------------

Now, when host 11.11.11.11 (on the left) wants to communicate with 11.11.11.11 (on the right) (R1–>R2),it has to use IP of 2.2.2.2 as a destination IP and the source of the packet will be 6.6.6.6. When we initiate traffic from right to left (R2–>R1), R2 has to use 6.6.6.6 as a destination IP, and the source IP of this traffic will be 2.2.2.2.

Let’s implement the first pair 11.11.11.11 (left) - 11.11.11.11 (right):


ASA1:

object-group network LEFT-11.11.11.11
 network-object host 11.11.11.11

object-group network NAT-6.6.6.6
 network-object host 6.6.6.6

nat (inside,outside) source static LEFT-11.11.11.11 NAT-6.6.6.6

We have to change ASA1’s ACL:

access-list VPN extended permit ip host 11.11.11.11 host 2.2.2.2

now we have to do the same on ASA2:

object-group network RIGHT-11.11.11.11
 network-object host 11.11.11.11

object-group network NAT-2.2.2.2
 network-object host 2.2.2.2

nat (inside,outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2

and new ASA2’s ACL entry:

access-list VPN extended permit ip host 11.11.11.11 host 6.6.6.6

While implementing NAT do not forget about routing !

R2:

r2(config)#ip route 0.0.0.0 0.0.0.0 11.11.11.1
r2(config)#no ip route 0.0.0.0 0.0.0.0 20.0.0.2

ASA1:

asa1(config)# no route outside 20.0.0.0 255.255.0.0 10.0.0.2 1
asa1(config)# route outside 2.2.2.2 255.255.255.255 10.0.0.2

ASA2:

asa2(config)# no route outside 11.11.0.0 255.255.0.0 10.0.0.1 1
asa2(config)# no route inside 20.0.0.0 255.255.0.0 20.0.0.1 1
asa2(config)# 
asa2(config)# route inside 11.11.0.0 255.255.0.0 11.11.11.11
asa2(config)# route outside 6.6.6.6 255.255.255.255 10.0.0.1

Let’s test the tunnel:

r1#ping 2.2.2.2 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)
r1#

As we see above the tunnel didn’t come up, let’s check ASA.

  • does NAT work fine?
asa1# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static LEFT-11.11.11.11 NAT-6.6.6.6
    translate_hits = 3, untranslate_hits = 0
asa1# 

asa1# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static LEFT-11.11.11.11 NAT-6.6.6.6
    translate_hits = 3, untranslate_hits = 0
    Source - Origin: 11.11.11.11/32, Translated: 6.6.6.6/32
asa1#

As we see above NAT is working fine on ASA1

asa2# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2
    translate_hits = 0, untranslate_hits = 5
asa2# sh nat d
asa2# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static RIGHT-11.11.11.11 NAT-2.2.2.2
    translate_hits = 0, untranslate_hits = 5
    Source - Origin: 11.11.11.11/32, Translated: 2.2.2.2/32
asa2#

On ASA2 the traffic is not translated.
  • check if ACL matches the traffic on both ASAs?
As you remember the ACLs on both ASAs should match, now my ACLs:
  
asa1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list VPN; 1 elements; name hash: 0x7edb8801
access-list VPN line 1 extended permit ip host 11.11.11.11 host 2.2.2.2 (hitcnt=0) 0xa8621235
asa1#

asa2# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list VPN; 1 elements; name hash: 0x7edb8801
access-list VPN line 1 extended permit ip host 11.11.11.11 host 6.6.6.6 (hitcnt=0) 0x5169389c
asa2#

As we see my ACs don’t match and this is a reason why the traffic can’t bring up the VPN tunnel. In version 8.3+ Cisco introduce one major change and for ACL you have to use ‘real’ IP address, not ‘nat-ed’. The current solution is correct with this rule but my ACLs don’t match. Let’s try to use NAT-ed IP in my ACL “VPN”.

ASA1:

asa1(config)# access-list VPN extended permit ip host 6.6.6.6 host 2.2.2.2

ASA2:

asa2(config)# access-list VPN extended permit ip host 2.2.2.2 host 6.6.6.6

and let’s test it again:

r1#ping 2.2.2.2 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 64/71/92 ms
r1#

It works !!!

ASA1:


asa1# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
235521139          10.0.0.1/500          10.0.0.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/124 sec
Child sa: local selector  6.6.6.6/0 - 6.6.6.6/65535
          remote selector 2.2.2.2/0 - 2.2.2.2/65535
          ESP spi in/out: 0x56ad69da/0x261d1433
asa1#


asa1# sh crypto ikev2 sa detail

IKEv2 SAs:

Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
235521139          10.0.0.1/500          10.0.0.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/152 sec
      Session-id: 18
      Status Description: Negotiation done
      Local spi: CBBB421957EA5272       Remote spi: 23F1298489CC0CE0
      Local id: hostname=asa1.test.com
      Remote id: hostname=asa2.test.com
      Local req mess id: 7              Remote req mess id: 5
      Local next mess id: 7             Remote next mess id: 5
      Local req queued: 7               Remote req queued: 5
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector  6.6.6.6/0 - 6.6.6.6/65535
          remote selector 2.2.2.2/0 - 2.2.2.2/65535
          ESP spi in/out: 0x56ad69da/0x261d1433
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa1#


 
asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.1

      access-list VPN extended permit ip host 6.6.6.6 host 2.2.2.2
      local ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
      current_peer: 10.0.0.2

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/500, remote crypto endpt.: 10.0.0.2/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 261D1433
      current inbound spi : 56AD69DA

    inbound esp sas:
      spi: 0x56AD69DA (1454205402)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 73728, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4239359/28610)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x261D1433 (639439923)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 73728, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3916799/28610)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa1#

and ASA2:

asa2# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
237464427          10.0.0.2/500          10.0.0.1/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/120 sec
Child sa: local selector  2.2.2.2/0 - 2.2.2.2/65535
          remote selector 6.6.6.6/0 - 6.6.6.6/65535
          ESP spi in/out: 0x261d1433/0x56ad69da
asa2#

 
asa2# sh crypto ikev2 sa detail

IKEv2 SAs:

Session-id:18, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
237464427          10.0.0.2/500          10.0.0.1/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/291 sec
      Session-id: 18
      Status Description: Negotiation done
      Local spi: 23F1298489CC0CE0       Remote spi: CBBB421957EA5272
      Local id: hostname=asa2.test.com
      Remote id: hostname=asa1.test.com
      Local req mess id: 12             Remote req mess id: 14
      Local next mess id: 12            Remote next mess id: 14
      Local req queued: 12              Remote req queued: 14
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector  2.2.2.2/0 - 2.2.2.2/65535
          remote selector 6.6.6.6/0 - 6.6.6.6/65535
          ESP spi in/out: 0x261d1433/0x56ad69da
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa2#

 
asa2# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2

      access-list VPN extended permit ip host 2.2.2.2 host 6.6.6.6
      local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
      current_peer: 10.0.0.1

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 56AD69DA
      current inbound spi : 261D1433

    inbound esp sas:
      spi: 0x261D1433 (639439923)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 114688, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4193279/28480)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x56AD69DA (1454205402)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 114688, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4055039/28480)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa2#

The tunnel is working fine. It seems to be kind of exception from the rule for VPN’s ACLs and we can use NAT-ed IP instead of ‘real’ ones.
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...
8 comments
Read more

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...
1 comment
Read more