Remote Access to L2L sites not working

Unanswered Question
May 12th, 2010
User Badges:

My setup - one hub (ASA 5505) with 3 L2L spokes.  All L2L communication is working fine.  I'm trying to setup remote access into the hub and then access the other spokes.  I can connect to the hub and its local network via remote VPN - but cannot access the spokes.


For reference...


Hub network - 192.168.1.0

Spokes - 192.168.2.0, 192.168.3.0, 192.168.10.0

Remote Access IP pool - 192.168.99.0


I think the problem is NAT-related but can't find it.  I'm posting a scrubbed  / condensed version of the hub config and relevant sections from the spoke configs.


<HUB>

!
same-security-traffic permit intra-interface

access-list site1_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list site2_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list site3_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.2.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.3.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.10.0 255.255.255.0

ip local pool vpnpool 192.168.99.10-192.168.99.99 mask 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat_acl
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 <Default Route IP> 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 192.168.1.3
key *****
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map ramap 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map ramap 10 set reverse-route
crypto map wanmap 1 match address site1_acl
crypto map wanmap 1 set peer <Site 1 Public IP>
crypto map wanmap 1 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 1 set security-association lifetime seconds 28800
crypto map wanmap 1 set security-association lifetime kilobytes 4608000
crypto map wanmap 2 match address site2_acl
crypto map wanmap 2 set peer <Site 2 Public IP>
crypto map wanmap 2 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 2 set security-association lifetime seconds 28800
crypto map wanmap 2 set security-association lifetime kilobytes 4608000
crypto map wanmap 3 match address site3_acl
crypto map wanmap 3 set peer <Site 3 Public IP>
crypto map wanmap 3 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 3 set security-association lifetime seconds 28800
crypto map wanmap 3 set security-association lifetime kilobytes 4608000
crypto map wanmap 99 ipsec-isakmp dynamic ramap
crypto map wanmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign dhcp

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
group-policy rapolicy internal
group-policy rapolicy attributes
dns-server value 192.168.1.3 192.168.2.5
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
default-domain value mydomain.com.local
split-dns value mydomain.com.local myotherdomain.net.local
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) vpn
tunnel-group <Site 1 Public IP> type ipsec-l2l
tunnel-group <Site 1 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group <Site 2 Public IP> type ipsec-l2l
tunnel-group <Site 2 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group <Site 3 Public IP> type ipsec-l2l
tunnel-group <Site 3 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
address-pool vpnpool
authentication-server-group vpn
authentication-server-group (inside) vpn
default-group-policy rapolicy
tunnel-group myvpn ipsec-attributes
pre-shared-key *****
tunnel-group-map default-group myvpn
!

<SPOKE 1>

access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0

Other spokes are same as SPOKE 1 with corresponding IP ranges changed.


Any ideas would be most welcome!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
puseth Wed, 05/12/2010 - 17:13
User Badges:


now what happens is something like this


192.168.2.x----ASA1---l2l tunnel--ASA2----192.168.1.x

                                                  |

                                 Remote Users(192.168.99.0)


ra vpn clients get connected to the hub i.e. ASA2

ASA2 has a l2l tunnel with ASA1

and we want our client to access the network behind spoke i.e. ASA1 from ASA2


so we u-turn the traffic on the outside interface of the ASA2 using "same-security-traffic permit intra-interface"


and nat it like this:-


nat (outside) 0 access-list 110

access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0

access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0

access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.4.0 255.255.255.0



on the respective Spokes


add this in their nonat & crypto acl


192.168.2.0 255.255.255.0 to 192.168.99.0

192.168.3.0 255.255.255.0 to 192.168.99.0

192.168.4.0 255.255.255.0 to 192.168.99.0


and this shud work....

let me know how it goes         

petersonmd Thu, 05/13/2010 - 07:43
User Badges:

If you see the config I posted, I already have those entries.  Obviously, I already have the 'same-security-traffic permit intra-interface' enabled to allow hairpinning.  Otherwise, my spoke-to-spoke communciation wouldn't be working.


I also already have the NAT statements listed.  Specifically, on the 'hub',


access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.10.0 255.255.255.0


I also have the reverse/corresponding NAT entries on the spokes in both the crypto and nat ACLs.  For example, on spoke 1, I added the following 2 lines to the approriate access lists (WAN_ACL is the crypto ACL, NO_NAT_ACL is self-explanatory).


access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0


Any other ideas why it wouldn't be working?


[EDIT]

This URL is almost carbon-copy what I want to do (except it only shows 2 L2L spokes and I have 3).

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

Actions

This Discussion