Solved: Re: L2L traffic multiple spokes routing

Delmiro Campelo · ‎10-10-2013

I have an issue that I'm hoping you can shed some light on this. I have 3 sites all connected with VPN/IPsec ikev2 tunnels using ASA 5505 and 5510 with 8.4+ code. Please see the image below for more details on my setup. All VPN tunnels are up and sending traffic across from the immediate neighbor, the issue is that I cannot ping or access ASA3's subnet from ASA2's or ASA2's subnet from ASA3's, what am I missing from my configuration? Please see below, and thank you in advance for any assistance you can provide with this.

ASA 3 VPN Config:
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map crypto_map 1 match address AS3_ACL
crypto map crypto_map 1 set peer 1.1.1.1
crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256
crypto map crypto_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 2
 prf sha256
 lifetime seconds 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy ipsec_group_policy
tunnel-group 1.1.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
 vpn-idle-timeout 6000
 vpn-session-timeout none
 vpn-tunnel-protocol ikev2
nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup
object-group network all_inside_networks
 network-object 10.0.1.0 255.255.255.0
object-group network all_outside_networks
 network-object 10.0.0.0 255.255.255.0
 network-object 10.0.18.0 255.255.255.0
access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group all_outside_networks

Jouni Forss · ‎10-10-2013

Hi,

Seems to me your ASA1 is missing some rules in the "crypto map" ACL

access-list ASA3_ACL extended permit ip object-group ASA2 object-group ASA3

access-list ASA2_ACL extended permit ip object-group ASA3 object-group ASA2

You are also missing the "nat" command I mentioned

nat (outside,outside) source static ASA2 ASA2 destination static ASA3 ASA3

You should not need a second "nat" command as this should match which ever the direction of connection forming is

Hope this helps

- Jouni

View solution in original post

Richard Burts · ‎10-10-2013

Add this command to your configuration, especially on ASA1.

same-security-traffic permit intra-interface

HTH

Rick

HTH

Rick

Jouni Forss · ‎10-10-2013

Hi,

You will need to make sure that ASA1 has the following configured

same-security-traffic permit intra-interface

This is because the traffic will come from "outside" interface and leave through "outside" interface through another L2L VPN connection.

You might also need a NAT0 configuration on the "outside" interface of the ASA1

For example

object network SITE-2

subnet 10.0.18.0 255.255.255.0

object network SITE-3

subnet 10.0.1.0 255.255.255.0

nat (outside,outside) source static SITE-2 SITE-2 destination static SITE-3 SITE-3

You can naturally use the "packet-tracer" on both ASA2 and ASA3 to confirm that they form the SA for the local and remote network with the ASA1. If that doesnt even form them the problem is between the ASA2 and ASA1 or ASA3 and ASA1

ASA2

packet-tracer input inside tcp 10.0.18.100 12345 10.0.1.100 80

ASA3

packet-tracer input inside tcp 10.0.1.100 12345 10.0.18.100 80

Modify the interface name if its different from the above. Modify the protocol and/or port if its not allowed by your local ACL. Issue the command twice as the L2L VPN negotiation would have gone up after the first time you enter the command and only the second command could pass. (Unless the connection is already up)

- Jouni

Delmiro Campelo · ‎10-10-2013

Hi guys and thank you very much for helping. I already have the command on ASA1

ASA1(config)# show running-config same-security-traffic

same-security-traffic permit intra-interface

I'm going to try doing some packet tracing, would you like to see ASA1 config ?

Jouni Forss · ‎10-10-2013

Hi,

It wouldnt hurt atleast.

Naturally if it has a large NAT/ACL Configuration it might be easier to confirm things with the "packet-tracer".

But you can naturally share the configurations (wihtout any public IP addresses)

- Jouni

Delmiro Campelo · ‎10-10-2013

ASA1 VPN config

crypto map crypto_map 1 match address ASA3_ACL

crypto map crypto_map 1 set peer 3.3.3.3

crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256

crypto map crypto_map 2 match address ASA2_ACL

crypto map crypto_map 2 set peer 2.2.2.2

crypto map crypto_map 2 set ikev2 ipsec-proposal aes_256

crypto map crypto_map interface outside

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 3.3.3.3 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 2.2.2.2 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group ASA3

access-list ASA2_ACL extended permit ip object-group all_inside_networks object-group ASA2

nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup

object-group network all_outside_networks

network-object 10.0.1.0 255.255.255.0

network-object 10.0.18.0 255.255.255.0

object-group network ASA2

network-object 10.0.18.0 255.255.255.0

object-group network ASA3

network-object 10.0.1.0 255.255.255.0

object-group network all_inside_networks

network-object 10.0.0.0 255.255.255.0

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 3.3.3.3 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 2.2.2.2 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

group-policy ipsec_group_policy internal

group-policy ipsec_group_policy attributes

vpn-idle-timeout 6000

vpn-session-timeout none

vpn-tunnel-protocol ikev2

rizwanr74 · ‎10-10-2013

Hi Delmiro,

Inaddition to what JouniForss have requested to create a no-nat between to remote ASAes, you also required to no-nat between in the oppsite direction as well.

nat (outside,outside) source static SITE-3 SITE-3 destination static SITE-2 SITE-2

Hope this helps.

thanks

Rizwan Rafeek

Delmiro Campelo · ‎10-10-2013

ASA 2 VPN Config:
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map crypto_map 1 match address AS2_ACL
crypto map crypto_map 1 set peer 1.1.1.1
crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256
crypto map crypto_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy ipsec_group_policy
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
vpn-idle-timeout 6000
vpn-session-timeout none
vpn-tunnel-protocol ikev2
nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup
object-group network all_inside_networks
network-object 10.0.1.0 255.255.255.0
object-group network all_outside_networks
network-object 10.0.0.0 255.255.255.0
network-object 10.0.18.0 255.255.255.0 
access-list ASA2_ACL extended permit ip object-group all_inside_networks object-group all_outside_networks

Jouni Forss · ‎10-10-2013

Hi,

Seems to me your ASA1 is missing some rules in the "crypto map" ACL

access-list ASA3_ACL extended permit ip object-group ASA2 object-group ASA3

access-list ASA2_ACL extended permit ip object-group ASA3 object-group ASA2

You are also missing the "nat" command I mentioned

nat (outside,outside) source static ASA2 ASA2 destination static ASA3 ASA3

You should not need a second "nat" command as this should match which ever the direction of connection forming is

Hope this helps

- Jouni

Delmiro Campelo · ‎10-10-2013

oh my god, I can't believe I missed that. Thank you Jouni, I'm going to try those changes next.

Delmiro Campelo · ‎10-12-2013

Thank you Jouni, as always you are amazing, please keep up the great support that you provide to the community.