VPN Client To ASA 5505 then back out through tunnel to other ASA 5505

Unanswered Question
May 3rd, 2012
User Badges:

Remote Site Setup.png


I'm having some issues trying to get the Site 3: VPN Client to be able to ping to the Site 2: Server.  I have Just built the tunnel from Site1 to Site 2 and now have traffic flowing great from Site 1 to Site 2.  Site 3 clients can get to Site 1 clients with no issues at all.  But Site 3 clients can NOT get to Site 2 clients at all.


I'm guessing it has something to do with coming in on the outside (int 0) and then going back out the outside (int 0) interface.  I have enabled/used the following lines but I still can not get it to work.


1) same-security-traffic permit intra-interface (on the Site 1 ASA only)

2) I have my NAT exempt rules in places for both Site 1 and Site 2.  Site 2 is using IOS 8.2(1) and Site 1 is using the newer IOS 8.4(2).  So the Site 1 ASA is using the route-lookup switch to simulate the EXEMPT.


Any ideas why it would not be working for me?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Dan-Ciprian Cicioiu Thu, 05/03/2012 - 11:08
User Badges:
  • Gold, 750 points or more

Hi Arvo,


Shouldnt you do nat exempt also for Site3 - Site2  on both ASAs Site 1 and Site 2 ?

As I see it in order for packet from Site3 to go on the IPsec tunnel between Site1 and Site2 , the source site3 - that I suppose that connects to Site 1 - should not be nated going to Site2 and back.


Does this make sense - or you already made that on point 2 ?



Dan

Arvo Bowen Thu, 05/03/2012 - 11:33
User Badges:

Dan,

So I should have 2 NAT EXEMPT rules on Site 1's ASA and 1 NAT EXEMPT rule on Site 2's ASA?

Dan-Ciprian Cicioiu Thu, 05/03/2012 - 11:37
User Badges:
  • Gold, 750 points or more

Hi Arvo,


As I see it on

     site 1 you should have 2 nat exempts :

               source 10.71.1.0/24 destination 10.50.6.0/24

               source 10.71.2.0/24 destination 10.50.6.0/24
     site 2 you should exempt the same traffic from nat but the other way around :

               source 10.50.6.0/24 destination 10.71.1.0/24

               source 10.50.6.0/24 destination 10.71.2.0/24


And also the IPSEC traffic should match this traffic also


Dan

Arvo Bowen Thu, 05/03/2012 - 11:57
User Badges:

Note:

Just to stay on a single issue all I care about is getting from the Site 3:VPN Client to Site 2: Server ...  In saying that We can ignore all the 10.71.1.0/24 rules as they do not apply to the Site 2: 10.50.6.0/24 Subnet or the Site 3: 10.71.2.0/24 Subnet.


So just dealing with the 10.71.2.0/24 subnet (VPN Clients) and the 10.50.6.0/24 subnet (Site 2) I should only need 1 EXEMPT NAT for each ASA right?  Or am I wrong? 

Arvo Bowen Thu, 05/03/2012 - 13:02
User Badges:

OK so this is what I currently have on Site 1's ASA...


object network LAN-INSIDE

subnet 10.71.1.0 255.255.255.0

description local area network

object network LAN-FULTON

subnet 10.50.6.0 255.255.255.0

description Fulton's Network


nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-FULTON LAN-FULTON route-lookup description Exempt NAT rule for traffic from the inside network to the Fulton network



Then on Site 2's ASA...


access-list inside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound



Does that look right?

rizwanr74 Fri, 05/04/2012 - 11:44
User Badges:
  • Gold, 750 points or more

"But Site 3 clients can NOT get to Site 2 clients at all."


Can you please explain Site3 RA VPN client are being terminated Site1 or Site2 ASA ?  If you answer it is to Site1.


Then you need no-nat for these segments i.e. Site3-RA-VPN client and Site2 on Site1's outside interface, so you understanding is correct, with regards to this issue.


Solution as follows, I assume you are using mask /24 on your networks.


access-list outside_nonat extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0
access-list outside_nonat extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0


nat (outside) 0 outside_nonat




Now, incorporate "10.71.2.0 255.255.255.0" in the tunnel between site1 and site2, i.e. in the crypto ACL.


One site2 please make sure, you have a static route as shown below.



route outside 10.71.2.0 255.255.255.0 xxx.xxx.xxx.xxx <-default-gateway on Site2 ASA.


Let me know, how this coming along.


Thanks

Rizwan Rafeek.


Message was edited by: Rizwan Mohamed

Arvo Bowen Mon, 05/14/2012 - 12:58
User Badges:

Thanks for the VERY informative responce!  Below are some config entries that I have made still yeilding no results...

To answer your first question, Yes the VPN clients connect to the Site 1: ASA and once connected should have access to the Site 2: ASA LAN.  Second clearification is YES to everything is /24 masks.  Please keep in mind below I'm using the ASDM for everything so the names are auto created.


Site 2: ASA Version 8.2(1)


nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (outside) 0 access-list outside_nat0_outbound


route outside 0.0.0.0 0.0.0.0 148.242.77.54 1
route outside 10.71.2.0 255.255.255.0 148.242.77.54 1


access-list outside_nat0_outbound extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0 
access-list outside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0


Does that look right?

rizwanr74 Tue, 05/15/2012 - 09:43
User Badges:
  • Gold, 750 points or more

"Does that look right?"


Yes for Site1 and please make sure that you have a static-route exists on Site2 as shown below.


route outside 10.71.2.0 255.255.255.0 xxx.xxx.xxx.xxx <-default-gateway at Site2 ASA.



You also need the below config copied on the Site2 ASA as well.


nat (outside) 0 access-list outside_nat0_outboundn


access-list outside_nat0_outbound extended permit ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0


Please be sure to include below networks segment in the crypto ACL for site-to-site vpn between Site1 and Site2.



ip 10.71.2.0 255.255.255.0 10.50.6.0 255.255.255.0


ip 10.50.6.0 255.255.255.0 10.71.2.0 255.255.255.0


Look forward to hear from you.


thanks

Rizwan Rafeek


Message was edited by: Rizwan Mohamed

Actions

This Discussion

Related Content