Solved: ASA - Tunnel all Traffic, allow spokes to communicate to each other

alatechpro · ‎03-17-2012

Well, I'm hoping someone can help me out with this headache! Switched from using a PIX and VPN 3005 Concentrator at the home office to an ASA5510 for firewall and IPSEC tunnels. It's pretty much a

VPN on a Stick, with multiple spokes.
All traffic tunneled
Internet access to be tunneled through main office (web filter usage)
VOIP to VOIP between spokes
All spokes are using VPN 3005 HW clients or ASA 5505s

HOME OFFICE: 10.0.0.0/24

Spoke 1: 192.168.11.0 / 24

Spoke 2: 192.168.12.0 / 24

Spoke 3: 192.168.13.0 / 24

- continues to 192.168.31.0 / 24

With the current config, Spoke 1 can communicate with all resources at home office, and Internet access is tunneled correctly as verified by a tracert.However the Spokes cannot communicate with each other. This is needed for VOIP traffic, when any SPOKE to SPOKE calls are made (jobsites).

Logging Info when spoke to spoke icmp initiated:

No translation group found for icmp src outside:192.168.31.1 dst inside:192.168.11.1 (type 8, code 0)

If I remove the nat (outside) 1 192.168.0.0 255.255.00 - the spokes will start responding to each other, but then spokes cannot tunnel Internet traffic through the home office. My brain is so scrambled after cramming VPN configurations for the last few days, so I'm hoping someone has a clue. I have always used 3005 concentrators, so this is a bit different! In finding documentation for this setup, I was surprised that this is not a more common topology. You would think this article would do it (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml) , but it doesn't have spokes! Anyway, I'm pretty sure it has something to do with the NAT rules, and possibly needing access-list for spoke to spoke traffic.

=============================================

ASA Version 8.2(1)
!
hostname asa5510

interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 97.65.x.x 255.255.255.224

interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.40 255.255.0.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.255.0.0

network-object 192.168.0.0 255.255.0.0

access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list wccp-servers extended permit ip host 10.0.0.83 any

access-list Redirect-Traffic extended deny ip any object-group DM_INLINE_NETWORK_1

access-list Redirect-Traffic extended permit ip any any

global (outside) 1 interface
nat (outside) 1 192.168.0.0 255.255.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.0.0

route outside 0.0.0.0 0.0.0.0 97.65.x.x 1
route inside 192.168.0.0 255.255.255.0 10.0.0.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.1 1
route inside 192.168.3.0 255.255.255.0 10.0.0.1 1

crypto ipsec transform-set mySET esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside

crypto dynamic-map dynmap 1 set transform-set mySET

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

management-access inside

threat-detection basic-threat

no threat-detection statistics access-list
no threat-detection statistics tcp-intercept

wccp web-cache redirect-list Redirect-Traffic group-list wccp-servers password xxxxxxx
wccp 90 redirect-list Redirect-Traffic group-list wccp-servers password xxxxxxx

webvpn

group-policy MJHIvpn internal

group-policy MJHIvpn attributes
wins-server value 10.0.10.1 10.0.10.2
dns-server value 10.0.10.1 10.0.10.2
password-storage enable
split-tunnel-policy tunnelall
default-domain value mjhi.local
nem enable

username Field-3002 password SjfS1Pq2xZGxHicx encrypted

username Field-3002 attributes
vpn-access-hours none
vpn-simultaneous-logins 250
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
service-type remote-access

tunnel-group Field type remote-access

tunnel-group Field general-attributes
default-group-policy MJHIvpn

tunnel-group Field ipsec-attributes
pre-shared-key *

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ils
inspect icmp
!
service-policy global_policy global

Julio Carvajal · ‎03-18-2012

Hello Ala,

In deed got to be with the Nat configuration.

So basically you want to tunnel the traffic about the spokes to communicate with each other.

Ok that would be with an nat 0 with access-list on the outside with the corresponding traffic.

Also on the crypto ACL configuration for each site you will need to add an entry for the traffic to any of the other offices.

I hope I explained myself.

Have a good one

Julio

Rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎03-18-2012

Hello Ala,

In deed got to be with the Nat configuration.

So basically you want to tunnel the traffic about the spokes to communicate with each other.

Ok that would be with an nat 0 with access-list on the outside with the corresponding traffic.

Also on the crypto ACL configuration for each site you will need to add an entry for the traffic to any of the other offices.

I hope I explained myself.

Have a good one

Julio

Rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

alatechpro · ‎03-18-2012

Thanks for the tip! I added the following on the home office hub:

access-list VPN_NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

nat (outside) 0 access-list VPN_NAT

Results from Client device on a spoke ->

Can ping home office network
Can ping another spoke
Can ping public net

Now, after all the sites can communicate with each other, it appears that the web filter is not getting traffic redirected to it from any location.

=====================================================================

object-group network DM_INLINE_NETWORK_1

network-object 10.0.0.0 255.255.0.0 ------> (Home Office)

network-object 192.168.0.0 255.255.0.0 ------> (Jobsite/Spoke)

access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.0.0 ------------> (HOME OFFICE to Jobsite Networks)

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 ------------> (Jobsite to Jobsite; 192.168.11.x to 192.168.31.x /24)

access-list wccp-servers extended permit ip host 10.0.0.83 any ----> (Ironport device)

access-list Redirect-Traffic extended deny ip any object-group DM_INLINE_NETWORK_1

access-list Redirect-Traffic extended permit ip any any

access-list VPN_NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 ------------> (Jobsite to Jobsite; 192.168.11.x to 192.168.31.x /24)

global (outside) 1 interface

nat (outside) 0 access-list VPN_NAT

nat (outside) 1 192.168.0.0 255.255.0.0

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

wccp web-cache redirect-list Redirect-Traffic group-list wccp-servers password xxxxxxx

wccp 90 redirect-list Redirect-Traffic group-list wccp-servers password xxxxxx

=====================================================================

Julio Carvajal · ‎03-18-2012

Hello,

Glad it is working now with the changes I let you know.

WCCP : to make it work both the client and the server got to be behind the same interface, in this case you are not doing it like this so it will not work.

Here is the link that supports what I just stated

https://supportforums.cisco.com/docs/DOC-12623

The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.

Regards,

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

alatechpro · ‎03-18-2012

What's weird is that is was working before I got the spoke to spoke traffic working. The home office and spokes were both being redirected through the proxy, as I was getting the user ack page for internet access, and the proper categories were being filtered at both locations.

However, after adding those two lines which allowed the spoke to spoke traffic, NO traffic is being sent to the web filter.

***(EDIT: Home office is being redirected now, but spoke traffic is not, which is the behavior you described as a limitation).

I did see what you were talking about regarding the limitations, but during the initial testing, it worked for the home office and the spoke (VPN) client. I was thinking that article may have been outdated, or I misunderstood it...lol. How in the heck did that work before then?

All I did was add the line:

nat (outside) 0 access-list VPN_NAT

I've been watching the teadowns for a while to verify that NAT is working correctly, and how I expected when the various networks talk with each other.

For Instance ->

====================================================================================

Spoke to Spoke - [ NAT EXEMPT ---> nat (outside) 0 access-list VPN_NAT ]

Source DEST

192.168.22.100 192.168.23.105

Built inbound ICMP connection for faddr 192.168.22.100/768 gaddr 192.168.23.105/0 laddr 192.168.23.105/0

Spoke to HUB - [ NAT EXPEMPT --> nat (inside) 0 access-list nonat ]

Source DEST

192.168.22.100 10.0.10.1

Built inbound ICMP connection for faddr 192.168.22.100/768 gaddr 10.0.10.1/0 laddr 10.0.10.1/0

Spoke to Public Internet - *Global (outside) 1 ---> (97.x.x.195 is the outside int address)

Source DEST

192.168.22.100 68.142.213.142

Built inbound TCP connection 72032 for outside:192.168.22.100/3300 (97.x.x.195/13735) to outside:68.142.213.142/80 (68.142.213.142/80)

=====================================================================================

Anyway, thanks for the responses! I'll be curious if you can figure out why the VPN traffic was able to go through the web filter! I may roll back to the original config just to verify.