I have been running in circle for the past few hours trying to solve this. I have a ASA (SiteB) with two site-to-site VPNs connected to it:
SiteA and SiteC
Both site to site VPN are working fine. But I am trying to set up a double NAT hairpinning so that the devices at SiteC can reach a server at siteA.
SiteA servers: 10.10.x.x
SiteB devices: 172.17.1.x
SiteC devices: 172.17.2.x
Internal devices at SiteB can reach the server at SiteA using a double NAT, but when I use a similar double NAT for the traffic from SiteC, it seems like the ASA is only translating the source IP and not the destination.
Here's the config on SiteB ASA:
nat (inside,outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER nat (outside,outside) source static SITEC-NETWORKS NAT-SITEC-NETWORKS destination static NAT-SERVER REAL-SERVER object network INTERNAL-NETWORKS subnet 172.17.1.0 255.255.255.0 object network NAT-INTERNAL-NETWORKS host 10.9.1.1 object network NAT-SERVER host 10.9.1.100 object network REAL-SERVER host 10.10.1.100 object network SITEC-NETWORKS subnet 172.17.2.0 255.255.255.0 object network NAT-SITEC-NETWORKS host 10.9.1.2 same-security-traffic permit intra-interface This is the error I am getting in the log:
Duplicate TCP SYN from outside:10.9.1.2/56221 to outside:10.9.1.100/25 with different initial sequence number
Most likely caused by a loop on the outside interface. I don't get this error from devices on the inside interface.
This is the packet tracer results for devices coming from inside siteB:
Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER Additional Information: NAT divert to egress interface outside Untranslate 10.9.1.100/25 to 10.10.1.100/25 Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 172.17.1.254 using egress ifc inside Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER Additional Information: Static translate 172.17.1.10/25521 to 10.9.1.1/25521 Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: SFR Subtype: Result: ALLOW Config: class-map CM-SFR match access-list ACL-SFR policy-map global_policy class CM-SFR sfr fail-open monitor-only service-policy global_policy global Additional Information: Phase: 7 Type: INSPECT Subtype: inspect-smtp Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect esmtp _default_esmtp_map service-policy global_policy global Additional Information: Phase: 8 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-EXPORT Subtype: Result: ALLOW Config: Additional Information: Phase: 10 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 11 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 12 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER Additional Information: Phase: 13 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 14 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 15 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 16 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 626947750, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow This is the packet tracer results for devices coming from siteC:
Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 1.2.3.4 using egress ifc outside Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 1.2.3.4 using egress ifc outside Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (outside,outside) source static SITEC-NETWORKS NAT-SITEC-NETWORKS destination static NAT-SERVER REAL-SERVER Additional Information: Static translate 172.17.2.1/25521 to 10.9.1.2/25521 Phase: 4 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: SFR Subtype: Result: ALLOW Config: class-map CM-SFR match access-list ACL-SFR policy-map global_policy class CM-SFR sfr fail-open monitor-only service-policy global_policy global Additional Information: Phase: 8 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 9 Type: INSPECT Subtype: inspect-smtp Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect esmtp _default_esmtp_map service-policy global_policy global Additional Information: Phase: 10 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Phase: 11 Type: FLOW-EXPORT Subtype: Result: ALLOW Config: Additional Information: Phase: 12 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 13 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 14 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 15 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 16 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (ipsec-spoof) IPSEC Spoof detected
#show nat (inside) to (outside) source static INTERNAL-NETWORKS NAT-INTERNAL-NETWORKS destination static NAT-SERVER REAL-SERVER translate_hits = 23072, untranslate_hits = 23081 (outside) to (outside) source static SITEC-NETWORKS NAT-SITEC-NETWORKS destination static NAT-SERVER REAL-SERVER translate_hits = 18, untranslate_hits = 0 Why does it only translate the source and not also the destination for the traffic coming from siteC?
No comments:
Post a Comment