Remote Access to L2L sites not working

petersonmd · ‎05-12-2010

My setup - one hub (ASA 5505) with 3 L2L spokes. All L2L communication is working fine. I'm trying to setup remote access into the hub and then access the other spokes. I can connect to the hub and its local network via remote VPN - but cannot access the spokes.

For reference...

Hub network - 192.168.1.0

Spokes - 192.168.2.0, 192.168.3.0, 192.168.10.0

Remote Access IP pool - 192.168.99.0

I think the problem is NAT-related but can't find it. I'm posting a scrubbed / condensed version of the hub config and relevant sections from the spoke configs.

<HUB>

!
same-security-traffic permit intra-interface

access-list site1_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list site1_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list site2_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list site2_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list site3_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site3_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list split_tunnel_list standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.2.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.3.0 255.255.255.0
access-list split_tunnel_list standard permit 192.168.10.0 255.255.255.0

ip local pool vpnpool 192.168.99.10-192.168.99.99 mask 255.255.255.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat_acl
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 <Default Route IP> 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 192.168.1.3
key *****
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map ramap 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map ramap 10 set reverse-route
crypto map wanmap 1 match address site1_acl
crypto map wanmap 1 set peer <Site 1 Public IP>
crypto map wanmap 1 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 1 set security-association lifetime seconds 28800
crypto map wanmap 1 set security-association lifetime kilobytes 4608000
crypto map wanmap 2 match address site2_acl
crypto map wanmap 2 set peer <Site 2 Public IP>
crypto map wanmap 2 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 2 set security-association lifetime seconds 28800
crypto map wanmap 2 set security-association lifetime kilobytes 4608000
crypto map wanmap 3 match address site3_acl
crypto map wanmap 3 set peer <Site 3 Public IP>
crypto map wanmap 3 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map wanmap 3 set security-association lifetime seconds 28800
crypto map wanmap 3 set security-association lifetime kilobytes 4608000
crypto map wanmap 99 ipsec-isakmp dynamic ramap
crypto map wanmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign dhcp

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
group-policy rapolicy internal
group-policy rapolicy attributes
dns-server value 192.168.1.3 192.168.2.5
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
default-domain value mydomain.com.local
split-dns value mydomain.com.local myotherdomain.net.local
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) vpn
tunnel-group <Site 1 Public IP> type ipsec-l2l
tunnel-group <Site 1 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group <Site 2 Public IP> type ipsec-l2l
tunnel-group <Site 2 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group <Site 3 Public IP> type ipsec-l2l
tunnel-group <Site 3 Public IP> ipsec-attributes
pre-shared-key *****
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
address-pool vpnpool
authentication-server-group vpn
authentication-server-group (inside) vpn
default-group-policy rapolicy
tunnel-group myvpn ipsec-attributes
pre-shared-key *****
tunnel-group-map default-group myvpn
!

access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0

Other spokes are same as SPOKE 1 with corresponding IP ranges changed.

Any ideas would be most welcome!!!

puseth · ‎05-12-2010

now what happens is something like this

192.168.2.x----ASA1---l2l tunnel--ASA2----192.168.1.x

|

Remote Users(192.168.99.0)

ra vpn clients get connected to the hub i.e. ASA2

ASA2 has a l2l tunnel with ASA1

and we want our client to access the network behind spoke i.e. ASA1 from ASA2

so we u-turn the traffic on the outside interface of the ASA2 using "same-security-traffic permit intra-interface"

and nat it like this:-

nat (outside) 0 access-list 110

access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0

access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0

access-l 110 permit ip 192.168.99.0 255.255.255.0 192.168.4.0 255.255.255.0

on the respective Spokes

add this in their nonat & crypto acl

192.168.2.0 255.255.255.0 to 192.168.99.0

192.168.3.0 255.255.255.0 to 192.168.99.0

192.168.4.0 255.255.255.0 to 192.168.99.0

and this shud work....

let me know how it goes

puseth · ‎05-12-2010

this will give you better understanding:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml

leave the authentication part

petersonmd · ‎05-13-2010

If you see the config I posted, I already have those entries. Obviously, I already have the 'same-security-traffic permit intra-interface' enabled to allow hairpinning. Otherwise, my spoke-to-spoke communciation wouldn't be working.

I also already have the NAT statements listed. Specifically, on the 'hub',

access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no_nat_acl extended permit ip 192.168.99.0 255.255.255.0 192.168.10.0 255.255.255.0

I also have the reverse/corresponding NAT entries on the spokes in both the crypto and nat ACLs. For example, on spoke 1, I added the following 2 lines to the approriate access lists (WAN_ACL is the crypto ACL, NO_NAT_ACL is self-explanatory).

access-list WAN_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0

access-list NO_NAT_ACL permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0

Any other ideas why it wouldn't be working?

[EDIT]

This URL is almost carbon-copy what I want to do (except it only shows 2 L2L spokes and I have 3).

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml