05-12-2010 02:48 PM - edited 02-21-2020 04:38 PM
My setup - one hub (ASA 5505) with 3 L2L spokes. All L2L communication is working fine. I'm trying to setup remote access into the hub and then access the other spokes. I can connect to the hub and its local network via remote VPN - but cannot access the spokes.
For reference...
Hub network - 192.168.1.0
Spokes - 192.168.2.0, 192.168.3.0, 192.168.10.0
Remote Access IP pool - 192.168.99.0
I think the problem is NAT-related but can't find it. I'm posting a scrubbed / condensed version of the hub config and relevant sections from the spoke configs.
<HUB>
!
same-security-traffic permit intra-interface
access-list site1_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.2.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.3.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.10.0 255.255.255.0
ip local pool vpnpool 192.168.99.10-192.168.99.99 mask 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat_acl
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 <Default Route IP> 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 192.168.1.3
key *****
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map ramap 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map ramap 10 set reverse-route
crypto map wanmap 1 match address site1_acl
crypto map wanmap 1 set peer <Site 1 Public IP>
crypto map wanmap 1 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 1 set security-association lifetime seconds 28800
crypto map wanmap 1 set security-association lifetime kilobytes 4608000
crypto map wanmap 2 match address site2_acl
crypto map wanmap 2 set peer <Site 2 Public IP>
crypto map wanmap 2 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 2 set security-association lifetime seconds 28800
crypto map wanmap 2 set security-association lifetime kilobytes 4608000
crypto map wanmap 3 match address site3_acl
crypto map wanmap 3 set peer <Site 3 Public IP>
crypto map wanmap 3 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 3 set security-association lifetime seconds 28800
crypto map wanmap 3 set security-association lifetime kilobytes 4608000
crypto map wanmap 99 ipsec-isakmp dynamic ramap
crypto map wanmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign dhcp
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
group-policy rapolicy internal
group-policy rapolicy attributes
dns-server value 192.168.1.3 192.168.2.5
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
default-domain value mydomain.com.local
split-dns value mydomain.com.local myotherdomain.net.local
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) vpn
tunnel-group <Site 1 Public IP> type ipsec-l2l
tunnel-group <Site 1 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group <Site 2 Public IP> type ipsec-l2l
tunnel-group <Site 2 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group <Site 3 Public IP> type ipsec-l2l
tunnel-group <Site 3 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
address-pool vpnpool
authentication-server-group vpn
authentication-server-group (inside) vpn
default-group-policy rapolicy
tunnel-group myvpn ipsec-attributes
pre-shared-key *****
tunnel-group-map default-group myvpn
!
<SPOKE 1>
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0
Other spokes are same as SPOKE 1 with corresponding IP ranges changed.
Any ideas would be most welcome!!!
05-12-2010 05:13 PM
now what happens is something like this
192.168.2.x----ASA1---l2l tunnel--ASA2----192.168.1.x
|
Remote Users(192.168.99.0)
ra vpn clients get connected to the hub i.e. ASA2
ASA2 has a l2l tunnel with ASA1
and we want our client to access the network behind spoke i.e. ASA1 from ASA2
so we u-turn the traffic on the outside interface of the ASA2 using "same-security-traffic permit intra-interface"
and nat it like this:-
nat (outside) 0 access-list 110
access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0
access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.4.0 255.255.255.0
on the respective Spokes
add this in their nonat & crypto acl
192.168.2.0 255.255.255.0 to 192.168.99.0
192.168.3.0 255.255.255.0 to 192.168.99.0
192.168.4.0 255.255.255.0 to 192.168.99.0
and this shud work....
let me know how it goes
05-12-2010 05:44 PM
this will give you better understanding:-
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml
leave the authentication part
05-13-2010 07:43 AM
If you see the config I posted, I already have those entries. Obviously, I already have the 'same-security-traffic permit intra-interface' enabled to allow hairpinning. Otherwise, my spoke-to-spoke communciation wouldn't be working.
I also already have the NAT statements listed. Specifically, on the 'hub',
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.10.0 255.255.255.0
I also have the reverse/corresponding NAT entries on the spokes in both the crypto and nat ACLs. For example, on spoke 1, I added the following 2 lines to the approriate access lists (WAN_ACL is the crypto ACL, NO_NAT_ACL is self-explanatory).
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0
Any other ideas why it wouldn't be working?
[EDIT]
This URL is almost carbon-copy what I want to do (except it only shows 2 L2L spokes and I have 3).
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: