Solved: Routing traffic over multiple l2l vpn with ASA

ctx7990570 · ‎11-12-2014

Hi All,

I need your help with this vpn traffic routing over multiple hops. Below is the topology:

Site1(192.168.2.0/24) ---vpn---ASA1(172.16.8.1)–––––––––ASA2(172.16.8.254)---vpn---Site2(10.10.1.0/24)

\---vpn---Site3(10.10.2.0/24)

Site1 connects to ASA1 via L2L vpn tunnel
Site2 and Site3 connects to ASA2 via L2L vpn tunnels
ASA1 and ASA2 on the same subnet and running IOS 8.2(5)

Now we want that users on Site2 and Site3 subnets can access to servers on Site1 network. How could we configure the ASAs in this case?

Thank you very much

Charlie

David Johan Castro Fernandez · ‎11-15-2014

Hello Charlie,

On this case, all you have to is to add extra entries on the L2L, make sure of the NAT exempt is in placed, basically you will have to do the following:

Site 1 to ASA1

This access-list is the one under the crypto map Configuration (match address XX):

If this is an ASA:

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0

If it is a router:

ip access-list extended VPN

permit ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 10.10.2.0 0.0.0.255

ASA1 to site 1:

Under the crypto map:

access-list VPN permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list VPN permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0

NAT exempt (if you are doing NAT):

access-list NONAT permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (XXXX) 0 access-list NONAT

XXXX --> interface from where the 10.10.1.0/24 and 10.10.2.0/24 are going to ingress to the ASA.

Then add the routes from where the 10.10.1.0/24 and 10.10.2.0/24 are residing from:

route XXXX 10.10.1.0 255.255.255.0 YYYYY

route XXXX 10.10.2.0 255.255.255.0 YYYYY

XXXX--> Interface name

YYYY--> Next hop IP address

---------------------------------------------------------------------------------------------------------------------------

ASA2 to site 2:

Access list under the crypto map:

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

ASA2 to site 3:

Access list under the crypto map:

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0

NAT exempt (if you are doing NAT):

access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0

nat (XXXX) 0 access-list NONAT

XXXX --> interface from where the 192.168.2.0/24 going to ingress to the ASA.

Then add the routes from where the 192.168.2.0/24 is residing from:

route XXXX 192.168.2.0 255.255.255.0 YYYYY

XXXX--> Interface name

YYYY--> Next hop IP address

Site2 to ASA2:

This access-list is the one under the crypto map Configuration (match address XX):

If this is an ASA:

access-list VPN permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

If it is a router:

ip access-list extended VPN

permit ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Site3 to ASA2:

This access-list is the one under the crypto map Configuration (match address XX):

If this is an ASA:

access-list VPN permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0

If it is a router:

ip access-list extended VPN

permit ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Please Make sure to add the following if needed:

* Add the NAT exempt on the 3 sites if you are doing NAT

* Add static routes indicating where the destination is.

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful post!

David Castro,

Regards,

View solution in original post

David Johan Castro Fernandez · ‎11-15-2014

Hello Charlie,

On this case, all you have to is to add extra entries on the L2L, make sure of the NAT exempt is in placed, basically you will have to do the following:

Site 1 to ASA1

This access-list is the one under the crypto map Configuration (match address XX):

If this is an ASA:

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0

If it is a router:

ip access-list extended VPN

permit ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 10.10.2.0 0.0.0.255

ASA1 to site 1:

Under the crypto map:

access-list VPN permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list VPN permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0

NAT exempt (if you are doing NAT):

access-list NONAT permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NONAT permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (XXXX) 0 access-list NONAT

XXXX --> interface from where the 10.10.1.0/24 and 10.10.2.0/24 are going to ingress to the ASA.

Then add the routes from where the 10.10.1.0/24 and 10.10.2.0/24 are residing from:

route XXXX 10.10.1.0 255.255.255.0 YYYYY

route XXXX 10.10.2.0 255.255.255.0 YYYYY

XXXX--> Interface name

YYYY--> Next hop IP address

---------------------------------------------------------------------------------------------------------------------------

ASA2 to site 2:

Access list under the crypto map:

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

ASA2 to site 3:

Access list under the crypto map:

access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0

NAT exempt (if you are doing NAT):

access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0

nat (XXXX) 0 access-list NONAT

XXXX --> interface from where the 192.168.2.0/24 going to ingress to the ASA.

Then add the routes from where the 192.168.2.0/24 is residing from:

route XXXX 192.168.2.0 255.255.255.0 YYYYY

XXXX--> Interface name

YYYY--> Next hop IP address

Site2 to ASA2:

This access-list is the one under the crypto map Configuration (match address XX):

If this is an ASA:

access-list VPN permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

If it is a router:

ip access-list extended VPN

permit ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Site3 to ASA2:

This access-list is the one under the crypto map Configuration (match address XX):

If this is an ASA:

access-list VPN permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0

If it is a router:

ip access-list extended VPN

permit ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Please Make sure to add the following if needed:

* Add the NAT exempt on the 3 sites if you are doing NAT

* Add static routes indicating where the destination is.

Let me know how it works out!

Please don't forget to rate and mark as correct the helpful post!

David Castro,

Regards,

ctx7990570 · ‎11-18-2014

Hi David,

Thank you so very much for detail step by step instruction. Basically i understand the concept now but some weird things are holding me up.

So the vpn tunnels from Site1 to ASA1 and Site2 to ASA2 are working now but still not from Site1 to Site2. I ran the packet tracer on ASA1 and it's been dropped:

ASA1# packet-tracer input inside icmp 192.168.2.1 8 0 10.10.1.11 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.1.0       255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8694350, priority=3, domain=permit, deny=false
        hits=21, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd86a8de0, priority=0, domain=permit-ip-option, deny=true
        hits=38, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd86aaa40, priority=66, domain=inspect-icmp-error, deny=false
        hits=38, user_data=0xd86aa970, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 0 access-list no-nat-vpn-traffic
  match ip inside 10.10.1.0 255.255.255.0 inside 192.168.2.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 2
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd5a75a08, priority=6, domain=nat-exempt-reverse, deny=false
        hits=1, user_data=0xd8d0b178, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.2.0, mask=255.255.255.0, port=0
        dst ip=10.10.1.0, mask=255.255.255.0, port=0

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 255 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 255 (No matching global)
    translate_hits = 22, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd5a76580, priority=1, domain=nat, deny=false
        hits=21, user_data=0xd5a764e0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

And this is the config on that ASA1:

ASA1# sh run global
global (outside) 255 interface
ASA1# sh run nat
nat (inside) 0 access-list no-nat-vpn-traffic
nat (inside) 255 0.0.0.0 0.0.0.0

ASA1# sh run access-list
access-list internet-in extended permit icmp any any
access-list no-nat-vpn-traffic extended permit ip 172.16.8.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no-nat-vpn-traffic extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn-S2-S1 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn-S2-S1 extended permit ip 172.16.8.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA1# sh run route
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
route inside 10.10.1.0 255.255.255.0 172.16.8.254 1

I even enable the same-security-traffic but still no help

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Thanks

Charlie

David Johan Castro Fernandez · ‎11-18-2014

Hello Charlie,

According to this Packet tracer, you have a routng issue:

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.1.0       255.255.255.0   inside

You can verify on the ASA1 by issuing this show command --> show run route

There is a route taking all the 10.10.1.0 to the inside interface, so you either have internally a VLAN taking that subnet, which is overlapping now.

1. Make sure that you have a 10.10.1.0/24 subnet behind the ASA, if not please remove the route --> route inside 10.10.1.0 255.255.255.0 XXXXX

XXXXX --> next hop IP address

2. If it is you will need to NAT the destination, for example 10.10.1.0/24 to 192.168.10.0/24

3. If you remove the route, you don´t need to do a NAT for that, though you have to correct the NAT exempt on ASA1, you have like this:

access-list no-nat-vpn-traffic extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Correct statement:

access-list no-nat-vpn-traffic extended permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0

Let me know how this works out, and it is a pleasure to help you!

Please don't forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

ctx7990570 · ‎11-19-2014

Hi David,

Thank you very much again for your prompt response.

But I'm afraid i made you confused here. The route for the subnet 10.10.1.0 must exist on ASA1 as that subnet is on the other end of the vpn tunnel with ASA2. It looks like this:

192.168.2.0---fw---l2l-vpn---ASA1---172.16.8.0---ASA2---l2l-vpn---fw---10.10.1.0

All the networks have 24 bits netmask. The inside ip for ASA1 is 172.16.8.1 and the inside ip for ASA2 is 172.16.8.254. So on ASA1 i have this route added:

route inside 10.10.1.0 255.255.255.0 172.16.8.254

and vice versa on ASA2:

route inside 192.168.2.0 255.255.255.0 172.16.8.1

So this must be the routing issue on our two ASA. Somehow the encrypted vpn traffic was treated differently and what it is? Please help me.

Thank you

Charlie

ctx7990570 · ‎11-19-2014

Hi David,

I'm terribly sorry. It was all my mistake. I configured it wrong on the ASA2!

So basically with your instruction above should make it work and it's working for me now.

I was just looking at this packet-tracer command running on ASA1 and assumed that it doesn't work and didn't check on the ASA2.

ASA1# packet-tracer input inside icmp 192.168.2.11 8 0 10.10.1.11 det

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.1.0       255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8694350, priority=3, domain=permit, deny=false
        hits=37, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd86a8de0, priority=0, domain=permit-ip-option, deny=true
        hits=163, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd86aaa40, priority=66, domain=inspect-icmp-error, deny=false
        hits=151, user_data=0xd86aa970, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8d94b50, priority=12, domain=debug-icmp-trace, deny=false
        hits=58, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 0 access-list no-nat-vpn-traffic
  match ip inside 10.10.1.0 255.255.255.0 inside 192.168.2.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 7
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd5a75a08, priority=6, domain=nat-exempt-reverse, deny=false
        hits=6, user_data=0xd8d0b178, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.2.0, mask=255.255.255.0, port=0
        dst ip=10.10.1.0, mask=255.255.255.0, port=0

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 255 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 255 (No matching global)
    translate_hits = 38, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd5a76580, priority=1, domain=nat, deny=false
        hits=37, user_data=0xd5a764e0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thank you very much

Charlie

David Johan Castro Fernandez · ‎11-19-2014

Hello Charlie,

That is great, that it is working now, if something happens let me know, also don't forget to rate and mark as correct the above Post if that helped you.

Regards!