03-17-2012 07:10 PM
Well, I'm hoping someone can help me out with this headache! Switched from using a PIX and VPN 3005 Concentrator at the home office to an ASA5510 for firewall and IPSEC tunnels. It's pretty much a
HOME OFFICE: 10.0.0.0/24
Spoke 1: 192.168.11.0 / 24
Spoke 2: 192.168.12.0 / 24
Spoke 3: 192.168.13.0 / 24
- continues to 192.168.31.0 / 24
With the current config, Spoke 1 can communicate with all resources at home office, and Internet access is tunneled correctly as verified by a tracert.However the Spokes cannot communicate with each other. This is needed for VOIP traffic, when any SPOKE to SPOKE calls are made (jobsites).
Logging Info when spoke to spoke icmp initiated:
If I remove the nat (outside) 1 192.168.0.0 255.255.00 - the spokes will start responding to each other, but then spokes cannot tunnel Internet traffic through the home office. My brain is so scrambled after cramming VPN configurations for the last few days, so I'm hoping someone has a clue. I have always used 3005 concentrators, so this is a bit different! In finding documentation for this setup, I was surprised that this is not a more common topology. You would think this article would do it (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml) , but it doesn't have spokes! Anyway, I'm pretty sure it has something to do with the NAT rules, and possibly needing access-list for spoke to spoke traffic.
=============================================
ASA Version 8.2(1)
!
hostname asa5510
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 97.65.x.x 255.255.255.224
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.40 255.255.0.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list wccp-servers extended permit ip host 10.0.0.83 any
access-list Redirect-Traffic extended deny ip any object-group DM_INLINE_NETWORK_1
access-list Redirect-Traffic extended permit ip any any
global (outside) 1 interface
nat (outside) 1 192.168.0.0 255.255.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 97.65.x.x 1
route inside 192.168.0.0 255.255.255.0 10.0.0.1 1
route inside 192.168.2.0 255.255.255.0 10.0.0.1 1
route inside 192.168.3.0 255.255.255.0 10.0.0.1 1
crypto ipsec transform-set mySET esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto dynamic-map dynmap 1 set transform-set mySET
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
management-access inside
threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
wccp web-cache redirect-list Redirect-Traffic group-list wccp-servers password xxxxxxx
wccp 90 redirect-list Redirect-Traffic group-list wccp-servers password xxxxxxx
webvpn
group-policy MJHIvpn internal
group-policy MJHIvpn attributes
wins-server value 10.0.10.1 10.0.10.2
dns-server value 10.0.10.1 10.0.10.2
password-storage enable
split-tunnel-policy tunnelall
default-domain value mjhi.local
nem enable
username Field-3002 password SjfS1Pq2xZGxHicx encrypted
username Field-3002 attributes
vpn-access-hours none
vpn-simultaneous-logins 250
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
service-type remote-access
tunnel-group Field type remote-access
tunnel-group Field general-attributes
default-group-policy MJHIvpn
tunnel-group Field ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ils
inspect icmp
!
service-policy global_policy global
Solved! Go to Solution.
03-18-2012 12:33 AM
Hello Ala,
In deed got to be with the Nat configuration.
So basically you want to tunnel the traffic about the spokes to communicate with each other.
Ok that would be with an nat 0 with access-list on the outside with the corresponding traffic.
Also on the crypto ACL configuration for each site you will need to add an entry for the traffic to any of the other offices.
I hope I explained myself.
Have a good one
Julio
Rate all the helpful posts!!!
03-18-2012 12:33 AM
Hello Ala,
In deed got to be with the Nat configuration.
So basically you want to tunnel the traffic about the spokes to communicate with each other.
Ok that would be with an nat 0 with access-list on the outside with the corresponding traffic.
Also on the crypto ACL configuration for each site you will need to add an entry for the traffic to any of the other offices.
I hope I explained myself.
Have a good one
Julio
Rate all the helpful posts!!!
03-18-2012 09:04 AM
Thanks for the tip! I added the following on the home office hub:
access-list VPN_NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
nat (outside) 0 access-list VPN_NAT
Results from Client device on a spoke ->
Now, after all the sites can communicate with each other, it appears that the web filter is not getting traffic redirected to it from any location.
=====================================================================
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.255.0.0 ------> (Home Office)
network-object 192.168.0.0 255.255.0.0 ------> (Jobsite/Spoke)
access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.0.0 255.255.0.0 ------------> (HOME OFFICE to Jobsite Networks)
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 ------------> (Jobsite to Jobsite; 192.168.11.x to 192.168.31.x /24)
access-list wccp-servers extended permit ip host 10.0.0.83 any ----> (Ironport device)
access-list Redirect-Traffic extended deny ip any object-group DM_INLINE_NETWORK_1
access-list Redirect-Traffic extended permit ip any any
access-list VPN_NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 ------------> (Jobsite to Jobsite; 192.168.11.x to 192.168.31.x /24)
global (outside) 1 interface
nat (outside) 0 access-list VPN_NAT
nat (outside) 1 192.168.0.0 255.255.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
wccp web-cache redirect-list Redirect-Traffic group-list wccp-servers password xxxxxxx
wccp 90 redirect-list Redirect-Traffic group-list wccp-servers password xxxxxx
=====================================================================
03-18-2012 03:44 PM
Hello,
Glad it is working now with the changes I let you know.
WCCP : to make it work both the client and the server got to be behind the same interface, in this case you are not doing it like this so it will not work.
Here is the link that supports what I just stated
https://supportforums.cisco.com/docs/DOC-12623
The only topology that the adaptive security appliance supports is when client and cache engine are behind the same interface of the adaptive security appliance and the cache engine can directly communicate with the client without going through the adaptive security appliance.
Regards,
Do rate all the helpful posts
03-18-2012 06:22 PM
What's weird is that is was working before I got the spoke to spoke traffic working. The home office and spokes were both being redirected through the proxy, as I was getting the user ack page for internet access, and the proper categories were being filtered at both locations.
However, after adding those two lines which allowed the spoke to spoke traffic, NO traffic is being sent to the web filter.
***(EDIT: Home office is being redirected now, but spoke traffic is not, which is the behavior you described as a limitation).
I did see what you were talking about regarding the limitations, but during the initial testing, it worked for the home office and the spoke (VPN) client. I was thinking that article may have been outdated, or I misunderstood it...lol. How in the heck did that work before then?
All I did was add the line:
nat (outside) 0 access-list VPN_NAT
I've been watching the teadowns for a while to verify that NAT is working correctly, and how I expected when the various networks talk with each other.
For Instance ->
====================================================================================
Spoke to Spoke - [ NAT EXEMPT ---> nat (outside) 0 access-list VPN_NAT ]
Source DEST
192.168.22.100 192.168.23.105
Built inbound ICMP connection for faddr 192.168.22.100/768 gaddr 192.168.23.105/0 laddr 192.168.23.105/0
Spoke to HUB - [ NAT EXPEMPT --> nat (inside) 0 access-list nonat ]
Source DEST
192.168.22.100 10.0.10.1
Built inbound ICMP connection for faddr 192.168.22.100/768 gaddr 10.0.10.1/0 laddr 10.0.10.1/0
Spoke to Public Internet - *Global (outside) 1 ---> (97.x.x.195 is the outside int address)
Source DEST
192.168.22.100 68.142.213.142
Built inbound TCP connection 72032 for outside:192.168.22.100/3300 (97.x.x.195/13735) to outside:68.142.213.142/80 (68.142.213.142/80)
=====================================================================================
Anyway, thanks for the responses! I'll be curious if you can figure out why the VPN traffic was able to go through the web filter! I may roll back to the original config just to verify.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide