Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L traffic multiple spokes routing

I have an issue that I'm hoping you can shed some light on this. I have 3 sites all connected with VPN/IPsec ikev2 tunnels using ASA 5505 and 5510 with 8.4+ code. Please see the image below for more details on my setup. All VPN tunnels are up and sending traffic across from the immediate neighbor, the issue is that I cannot ping or access ASA3's subnet from ASA2's or ASA2's subnet from ASA3's, what am I missing from my configuration? Please see below, and thank you in advance for any assistance you can provide with this.

VPN_Issue.png

ASA 3 VPN Config:

protocol esp integrity sha-1

crypto ipsec security-association pmtu-aging infinite

crypto map crypto_map 1 match address AS3_ACL

crypto map crypto_map 1 set peer 1.1.1.1

crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256

crypto map crypto_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha256

group 2

prf sha256

lifetime seconds 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 1.1.1.1 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

vpn-idle-timeout 6000

vpn-session-timeout none

vpn-tunnel-protocol ikev2

nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup

object-group network all_inside_networks

network-object 10.0.1.0 255.255.255.0

object-group network all_outside_networks

network-object 10.0.0.0 255.255.255.0

network-object 10.0.18.0 255.255.255.0

access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group all_outside_networks


1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

L2L traffic multiple spokes routing

Hi,

Seems to me your ASA1 is missing some rules in the "crypto map" ACL

access-list ASA3_ACL extended permit ip object-group ASA2 object-group ASA3

access-list ASA2_ACL extended permit ip object-group ASA3 object-group ASA2

You are also missing the "nat" command I mentioned

nat (outside,outside) source static ASA2 ASA2 destination static ASA3 ASA3

You should not need a second "nat" command as this should match which ever the direction of connection forming is

Hope this helps

- Jouni

10 REPLIES
Hall of Fame Super Silver

L2L traffic multiple spokes routing

Add this command to your configuration, especially on ASA1.

same-security-traffic permit intra-interface

HTH

Rick

Super Bronze

Re: L2L traffic multiple spokes routing

Hi,

You will need to make sure that ASA1 has the following configured

same-security-traffic permit intra-interface

This is because the traffic will come from "outside" interface and leave through "outside" interface through another L2L VPN connection.

You might also need a  NAT0 configuration on the "outside" interface of the ASA1

For example

object network SITE-2

subnet 10.0.18.0 255.255.255.0

object network SITE-3

subnet 10.0.1.0 255.255.255.0

nat (outside,outside) source static SITE-2 SITE-2 destination static SITE-3 SITE-3

You can naturally use the "packet-tracer" on both ASA2 and ASA3 to confirm that they form the SA for the local and remote network with the ASA1. If that doesnt even form them the problem is between the ASA2 and ASA1 or ASA3 and ASA1

ASA2

packet-tracer input inside tcp 10.0.18.100 12345 10.0.1.100 80

ASA3

packet-tracer input inside tcp 10.0.1.100 12345 10.0.18.100 80

Modify the interface name if its different from the above. Modify the protocol and/or port if its not allowed by your local ACL. Issue the command twice as the L2L VPN negotiation would have gone up after the first time you enter the command and only the second command could pass. (Unless the connection is already up)

- Jouni

New Member

Re: L2L traffic multiple spokes routing

Hi guys and thank you very much for helping. I already have the command on ASA1

ASA1(config)# show running-config same-security-traffic

same-security-traffic permit intra-interface


I'm going to try doing some packet tracing, would you like to see ASA1 config ?

Super Bronze

L2L traffic multiple spokes routing

Hi,

It wouldnt hurt atleast.

Naturally if it has a large NAT/ACL Configuration it might be easier to confirm things with the "packet-tracer".

But you can naturally share the configurations (wihtout any public IP addresses)

- Jouni

New Member

Re: L2L traffic multiple spokes routing

ASA1 VPN config

crypto map crypto_map 1 match address ASA3_ACL

crypto map crypto_map 1 set peer 3.3.3.3

crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256

crypto map crypto_map 2 match address ASA2_ACL

crypto map crypto_map 2 set peer 2.2.2.2

crypto map crypto_map 2 set ikev2 ipsec-proposal aes_256

crypto map crypto_map interface outside

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 3.3.3.3 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 2.2.2.2 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group ASA3

access-list ASA2_ACL extended permit ip object-group all_inside_networks object-group ASA2

nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup

object-group network all_outside_networks

network-object 10.0.1.0 255.255.255.0

network-object 10.0.18.0 255.255.255.0

object-group network ASA2

network-object 10.0.18.0 255.255.255.0

object-group network ASA3

network-object 10.0.1.0 255.255.255.0

object-group network all_inside_networks

network-object 10.0.0.0 255.255.255.0

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 3.3.3.3 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 2.2.2.2 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

group-policy ipsec_group_policy internal

group-policy ipsec_group_policy attributes

vpn-idle-timeout 6000

vpn-session-timeout none

vpn-tunnel-protocol ikev2


L2L traffic multiple spokes routing

Hi Delmiro,

Inaddition to what JouniForss have requested to create a no-nat between to remote ASAes, you also required to no-nat between in the oppsite direction as well.

nat (outside,outside) source static SITE-3 SITE-3 destination static SITE-2 SITE-2

Hope this helps.

thanks

Rizwan Rafeek

New Member

Re: L2L traffic multiple spokes routing

ASA 2 VPN Config:

protocol esp integrity sha-1

crypto ipsec security-association pmtu-aging infinite

crypto map crypto_map 1 match address AS2_ACL

crypto map crypto_map 1 set peer 1.1.1.1

crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256

crypto map crypto_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha256

group 2

prf sha256

lifetime seconds 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 general-attributes

default-group-policy ipsec_group_policy

tunnel-group 1.1.1.1 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

vpn-idle-timeout 6000

vpn-session-timeout none

vpn-tunnel-protocol ikev2

nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookup

object-group network all_inside_networks

network-object 10.0.1.0 255.255.255.0

object-group network all_outside_networks

network-object 10.0.0.0 255.255.255.0

network-object 10.0.18.0 255.255.255.0

access-list ASA2_ACL extended permit ip object-group all_inside_networks object-group all_outside_networks

Super Bronze

L2L traffic multiple spokes routing

Hi,

Seems to me your ASA1 is missing some rules in the "crypto map" ACL

access-list ASA3_ACL extended permit ip object-group ASA2 object-group ASA3

access-list ASA2_ACL extended permit ip object-group ASA3 object-group ASA2

You are also missing the "nat" command I mentioned

nat (outside,outside) source static ASA2 ASA2 destination static ASA3 ASA3

You should not need a second "nat" command as this should match which ever the direction of connection forming is

Hope this helps

- Jouni

New Member

Re: L2L traffic multiple spokes routing

oh my god, I can't believe I missed that. Thank you Jouni, I'm going to try those changes next.

New Member

Re: L2L traffic multiple spokes routing

Thank you Jouni, as always you are amazing, please keep up the great support that you provide to the community. 

376
Views
0
Helpful
10
Replies
CreatePlease to create content