cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12652
Views
0
Helpful
8
Replies

ASA VPN hairpin

jacobs_son
Level 1
Level 1

Hello all,

I have 2 sites connected to a central hub via VPN. I need the 2 remote sites to talk to each other. This all works correctly by hairpinning on the outside interface of the hub, except that the SA between remote site A and the hub does not get established for the subnet at remote site B when pinging from site B to site A. I have to ping from both remote sites to the opposite remote subnet for the SAs to be established and traffic to pass correctly..

Does anyone know how I can get the SAs to establish on both tunnels by sending traffic in 1 direction only?

Please let me know if you need any further details.

Thanks

1 Accepted Solution

Accepted Solutions

Hi James,

How come the configuration on the HUB that you have posted earlier does not correspond to the SA:

From the output of SA on the HUB:

Crypto map tag: outside_map, seq num:  320, local addr: 3.3.3.3

      access-list outside_cryptomap_10_1  extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0

Crypto map tag: outside_map, seq num:  320, local addr: 3.3.3.3

      access-list outside_cryptomap_10_1  extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0

Crypto map tag: outside_map, seq num:  120, local addr: 3.3.3.3

      access-list outside_cryptomap_120  extended permit ip 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0

while the configuration that you have posted earlier does not match as follows:

access-list outside_cryptomap_10_1  extended permit ip 10.20.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list  outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended  permit ip 10.20.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list  outside_cryptomap_20_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0


Crypto ACL needs to be mirror image between 2 sites, and it seems that you do not have mirror image crypto ACL. On the HUB, you have configured class A (10.0.0.0/8), while on the remote sites, you have configured class B (10.20.0.0/16). Please change the crypto ACL on the HUB to be mirror image as the remote sites crypto ACL.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

Sounds like both remote sites have dynamic public ip address assigned on its outside interface (vpn termination interface).

If that is a true statement, then you would need to ping both way as each remote site needs to establish the VPN towards the hub first before they can ping each other.

If both remote sites have static public ip addresses assigned, then pls share the config from all 3 sites.

Hi, thanks for the reply. I have static IPs at all sites. Here's the relevant bits of the config:

Remote site 1


interface Ethernet0/0
nameif inside
security-level 100
ip address 10.13.1.1 255.255.0.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.14.1.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0

boot system disk0:/asa805-k8.bin

access-list inside_access_in extended permit ip 10.13.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list outside_cryptomap_10_1 extended permit ip 10.13.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.13.0.0 255.255.0.0 10.0.0.0 255.0.0.0

global (inside) 1 interface
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.13.0.0 255.255.0.0
nat (dmz) 1 10.14.0.0 255.255.255.0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map_1 10 match address outside_cryptomap_10_1
crypto map outside_map_1 10 set peer 3.3.3.3
crypto map outside_map_1 10 set transform-set ESP-AES-128-SHA
crypto map outside_map_1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *

____________________________________________________________

Remote site 2

interface Ethernet0/0
nameif inside
security-level 100
ip address 10.30.1.1 255.255.0.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.31.1.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.0

boot system disk0:/asa805-k8.bin

access-list inside_access_in extended permit ip 10.30.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.30.0.0 255.255.0.0 10.0.0.0 255.0.0.0

global (inside) 1 interface
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.30.0.0 255.255.0.0
nat (dmz) 1 10.31.0.0 255.255.255.0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map_1 10 match address outside_cryptomap_10_1
crypto map outside_map_1 10 set peer 3.3.3.3
crypto map outside_map_1 10 set transform-set ESP-AES-128-SHA
crypto map outside_map_1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *


________________________________________________________________________

Hub site:


interface Ethernet0/0
nameif inside
security-level 100
ip address 10.20.1.1 255.255.0.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.21.1.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 3.3.3.3 255.255.255.0

boot system disk0:/asa805-k8.bin

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip 10.20.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list outside_cryptomap_10_1 extended permit ip 10.20.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended permit ip 10.20.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list outside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

global (inside) 1 interface
global (dmz) 1 interface
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.20.0.0 255.255.0.0
nat (dmz) 1 10.21.0.0 255.255.255.0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map_1 10 match address outside_cryptomap_10_1
crypto map outside_map_1 10 set peer 1.1.1.1
crypto map outside_map_1 10 set transform-set ESP-AES-128-SHA
crypto map outside_map_1 20 match address outside_cryptomap_20_1
crypto map outside_map_1 20 set peer 2.2.2.2
crypto map outside_map_1 20 set transform-set ESP-AES-128-SHA
crypto map outside_map_1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *

Please let me know if there's anything else you would like to see.

James

Configuration looks perfect, except 1 line that is not required on the HUB ASA:

nat (outside) 0 access-list  outside_nat0_outbound

Please remove the nat 0 with ACL on the outside interface as it is not required, and "clear xlate".

Clear the SA on all 3 ASAs, and please test ping from 1 site (ie: remote 1 LAN) with 20 ping packets towards remote 2 LAN, and grab the output of the following from all 3 ASAs:

show crypto ipsec sa

I have removed that line of config and all still works as before. Strange as I had always needed this in the past to allow RA VPN users to hairpin back out to other remote subnets...

Here's the SA's, looks just the same as before with decaps at hub but no ecaps going out to second remote site.

Remote site 1

remotesite1# sh crypto ipsec sa peer 3.3.3.3

peer address: 3.3.3.3

    Crypto map tag: outside_map_1, seq num: 80, local addr: 1.1.1.1

      access-list outside_cryptomap_80_1 extended permit ip 10.13.0.0 255.255.0.0 10.20.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.30.0.0/255.255.0.0/0/0)
      current_peer: 3.3.3.3

      #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 0847389F
      current inbound spi : 517A7F5E

    inbound esp sas:
      spi: 0x517A7F5E (1366982494)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 15597568, crypto-map: outside_map_1
         sa timing: remaining key lifetime (kB/sec): (4374000/99854)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x0847389F (138885279)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 15597568, crypto-map: outside_map_1
         sa timing: remaining key lifetime (kB/sec): (4373998/99854)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map_1, seq num: 80, local addr: 1.1.1.1

      access-list outside_cryptomap_80_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      current_peer: 3.3.3.3

      #pkts encaps: 4847, #pkts encrypt: 4847, #pkts digest: 4847
      #pkts decaps: 5477, #pkts decrypt: 5477, #pkts verify: 5477
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4847, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: CF6965BD
      current inbound spi : 86269FF7

    inbound esp sas:
      spi: 0x86269FF7 (2250678263)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 15597568, crypto-map: outside_map_1
         sa timing: remaining key lifetime (kB/sec): (4369467/99777)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xCF6965BD (3479791037)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 15597568, crypto-map: outside_map_1
         sa timing: remaining key lifetime (kB/sec): (4372358/99774)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Remote site 2


remotesite2# sh crypto ipsec sa peer 3.3.3.3

peer address: 3.3.3.3
    Crypto map tag: outside_map_1, seq num: 80, local addr: 2.2.2.2

      access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.20.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.30.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      current_peer: 3.3.3.3

      #pkts encaps: 870, #pkts encrypt: 870, #pkts digest: 870
      #pkts decaps: 875, #pkts decrypt: 875, #pkts verify: 875
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 870, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: A8BEB3DF
      current inbound spi : 82ED8AA0

    inbound esp sas:
      spi: 0x82ED8AA0 (2196605600)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 10899456, crypto-map: outside_map_1
         sa timing: remaining key lifetime (kB/sec): (4373755/99444)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xA8BEB3DF (2831070175)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 10899456, crypto-map: outside_map_1
         sa timing: remaining key lifetime (kB/sec): (4373715/99444)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hub site

hubsite# sh crypto ipsec sa peer 1.1.1.1

peer address: 1.1.1.1
    Crypto map tag: outside_map, seq num: 320, local addr: 3.3.3.3

      access-list outside_cryptomap_10_1 extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 10118, #pkts encrypt: 10118, #pkts digest: 10118
      #pkts decaps: 8897, #pkts decrypt: 8897, #pkts verify: 8897
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10118, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 3.3.3.3, remote crypto endpt.:  1.1.1.1

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 86269FF7
      current inbound spi : CF6965BD

    inbound esp sas:
      spi: 0xCF6965BD (3479791037)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 240832512, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3911628/99290)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x86269FF7 (2250678263)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 240832512, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3907245/99290)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 320, local addr: 3.3.3.3

      access-list outside_cryptomap_10_1 extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.30.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 3.3.3.3, remote crypto endpt.: 1.1.1.1

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 517A7F5E
      current inbound spi : 0847389F

    inbound esp sas:
      spi: 0x0847389F (138885279)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 240832512, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914998/99363)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x001FFFFF
    outbound esp sas:
      spi: 0x517A7F5E (1366982494)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 240832512, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/99362)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

hubsite# sh crypto ipsec sa peer 2.2.2.2

peer address:  2.2.2.2

    Crypto map tag: outside_map, seq num: 120, local addr: 3.3.3.3

      access-list outside_cryptomap_120 extended permit ip 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.30.0.0/255.255.0.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 1708, #pkts encrypt: 1708, #pkts digest: 1708
      #pkts decaps: 1681, #pkts decrypt: 1681, #pkts verify: 1681
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1708, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 3.3.3.3, remote crypto endpt.:  2.2.2.2

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 82ED8AA0
      current inbound spi : A8BEB3DF

    inbound esp sas:
      spi: 0xA8BEB3DF (2831070175)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 240865280, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914471/99013)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x82ED8AA0 (2196605600)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 240865280, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914535/99013)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

I cant see anything in the isakmp debugs on the hub site... Any other suggestions greatly appreciated.

Thanks again,

James

Any other ideas on what could stopping the traffic going out over the second VPN from the hub site?

Is there anything else I can do on the hub to see what's happening? All devices have sysopt connection permit-vpn on so guessing it wont be an access-list issue...

Hi James,

How come the configuration on the HUB that you have posted earlier does not correspond to the SA:

From the output of SA on the HUB:

Crypto map tag: outside_map, seq num:  320, local addr: 3.3.3.3

      access-list outside_cryptomap_10_1  extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0

Crypto map tag: outside_map, seq num:  320, local addr: 3.3.3.3

      access-list outside_cryptomap_10_1  extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0

Crypto map tag: outside_map, seq num:  120, local addr: 3.3.3.3

      access-list outside_cryptomap_120  extended permit ip 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0

while the configuration that you have posted earlier does not match as follows:

access-list outside_cryptomap_10_1  extended permit ip 10.20.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list  outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended  permit ip 10.20.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list  outside_cryptomap_20_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0


Crypto ACL needs to be mirror image between 2 sites, and it seems that you do not have mirror image crypto ACL. On the HUB, you have configured class A (10.0.0.0/8), while on the remote sites, you have configured class B (10.20.0.0/16). Please change the crypto ACL on the HUB to be mirror image as the remote sites crypto ACL.

Hi, yes I had just figured this out and was coming back to update... The configs i had posted above I had modified as each config is actually around 1000 -2000 lines long. I had not realised I had posted the ACL's incorrectly.

The network is actually substantially larger that just these 3 sites.. 58 sites and 3 hubs in total, and the design is quite complex. I was hoping to have the blanket 10.0.0.0/8 statement on the hub site for all remote sites, otherwise I will need 57 match statements per peer on each hub site, and there'll be 57 peers... That's a lot of ACL entries!

Back to the drawing board I guess.....

Thanks for the help.

James

Hi James,

i have one query about hairpin vpn. does it support non other vendor firewall.

cause in my scenario at HUB site i have Cisco ASA 5520 & spoke end i have fortigate firewall, between ASA & fortigate I have configured dynamic VPN. now i want my two fortigate inside subnet should talk to each other.

I am confuse how do i do it..please assist if you have any idea.

Suhas B.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: