11-12-2014 10:12 AM
Hi All,
I need your help with this vpn traffic routing over multiple hops. Below is the topology:
Site1(192.168.2.0/24) ---vpn---ASA1(172.16.8.1)–––––––––ASA2(172.16.8.254)---vpn---Site2(10.10.1.0/24)
\---vpn---Site3(10.10.2.0/24)
Now we want that users on Site2 and Site3 subnets can access to servers on Site1 network. How could we configure the ASAs in this case?
Thank you very much
Charlie
Solved! Go to Solution.
11-15-2014 11:01 AM
Hello Charlie,
On this case, all you have to is to add extra entries on the L2L, make sure of the NAT exempt is in placed, basically you will have to do the following:
Site 1 to ASA1
This access-list is the one under the crypto map Configuration (match address XX):
If this is an ASA:
access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0
If it is a router:
ip access-list extended VPN
permit ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 10.10.2.0 0.0.0.255
ASA1 to site 1:
Under the crypto map:
access-list VPN permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA2 to site 3:
access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0
This access-list is the one under the crypto map Configuration (match address XX):
If this is an ASA:
access-list VPN permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
If it is a router:
ip access-list extended VPN
permit ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
This access-list is the one under the crypto map Configuration (match address XX):
If this is an ASA:
access-list VPN permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0
If it is a router:
ip access-list extended VPN
permit ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
11-15-2014 11:01 AM
Hello Charlie,
On this case, all you have to is to add extra entries on the L2L, make sure of the NAT exempt is in placed, basically you will have to do the following:
Site 1 to ASA1
This access-list is the one under the crypto map Configuration (match address XX):
If this is an ASA:
access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0
If it is a router:
ip access-list extended VPN
permit ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 10.10.2.0 0.0.0.255
ASA1 to site 1:
Under the crypto map:
access-list VPN permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA2 to site 3:
access-list VPN permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.10.2.0 255.255.255.0
This access-list is the one under the crypto map Configuration (match address XX):
If this is an ASA:
access-list VPN permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
If it is a router:
ip access-list extended VPN
permit ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
This access-list is the one under the crypto map Configuration (match address XX):
If this is an ASA:
access-list VPN permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0
If it is a router:
ip access-list extended VPN
permit ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
11-18-2014 01:59 PM
Hi David,
Thank you so very much for detail step by step instruction. Basically i understand the concept now but some weird things are holding me up.
So the vpn tunnels from Site1 to ASA1 and Site2 to ASA2 are working now but still not from Site1 to Site2. I ran the packet tracer on ASA1 and it's been dropped:
ASA1# packet-tracer input inside icmp 192.168.2.1 8 0 10.10.1.11 det Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.10.1.0 255.255.255.0 inside Phase: 3 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xd8694350, priority=3, domain=permit, deny=false hits=21, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd86a8de0, priority=0, domain=permit-ip-option, deny=true hits=38, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd86aaa40, priority=66, domain=inspect-icmp-error, deny=false hits=38, user_data=0xd86aa970, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 6 Type: NAT-EXEMPT Subtype: rpf-check Result: ALLOW Config: nat (inside) 0 access-list no-nat-vpn-traffic match ip inside 10.10.1.0 255.255.255.0 inside 192.168.2.0 255.255.255.0 NAT exempt translate_hits = 0, untranslate_hits = 2 Additional Information: Forward Flow based lookup yields rule: in id=0xd5a75a08, priority=6, domain=nat-exempt-reverse, deny=false hits=1, user_data=0xd8d0b178, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.2.0, mask=255.255.255.0, port=0 dst ip=10.10.1.0, mask=255.255.255.0, port=0 Phase: 7 Type: NAT Subtype: Result: DROP Config: nat (inside) 255 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 255 (No matching global) translate_hits = 22, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xd5a76580, priority=1, domain=nat, deny=false hits=21, user_data=0xd5a764e0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
And this is the config on that ASA1:
ASA1# sh run global global (outside) 255 interface ASA1# sh run nat nat (inside) 0 access-list no-nat-vpn-traffic nat (inside) 255 0.0.0.0 0.0.0.0 ASA1# sh run access-list access-list internet-in extended permit icmp any any access-list no-nat-vpn-traffic extended permit ip 172.16.8.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list no-nat-vpn-traffic extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list vpn-S2-S1 extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list vpn-S2-S1 extended permit ip 172.16.8.0 255.255.255.0 192.168.2.0 255.255.255.0 ASA1# sh run route route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1 route inside 10.10.1.0 255.255.255.0 172.16.8.254 1
I even enable the same-security-traffic but still no help
same-security-traffic permit inter-interface same-security-traffic permit intra-interface
Thanks
Charlie
11-18-2014 02:20 PM
Hello Charlie,
According to this Packet tracer, you have a routng issue:
Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.10.1.0 255.255.255.0 inside
You can verify on the ASA1 by issuing this show command --> show run route
There is a route taking all the 10.10.1.0 to the inside interface, so you either have internally a VLAN taking that subnet, which is overlapping now.
1. Make sure that you have a 10.10.1.0/24 subnet behind the ASA, if not please remove the route --> route inside 10.10.1.0 255.255.255.0 XXXXX
XXXXX --> next hop IP address
2. If it is you will need to NAT the destination, for example 10.10.1.0/24 to 192.168.10.0/24
3. If you remove the route, you don´t need to do a NAT for that, though you have to correct the NAT exempt on ASA1, you have like this:
access-list no-nat-vpn-traffic extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Correct statement:
access-list no-nat-vpn-traffic extended permit ip 192.168.2.0 255.255.255.0 10.10.1.0 255.255.255.0
Let me know how this works out, and it is a pleasure to help you!
Please don't forget to rate and mark as correct the helpful Post!
David Castro,
Regards,
11-19-2014 12:35 PM
Hi David,
Thank you very much again for your prompt response.
But I'm afraid i made you confused here. The route for the subnet 10.10.1.0 must exist on ASA1 as that subnet is on the other end of the vpn tunnel with ASA2. It looks like this:
192.168.2.0---fw---l2l-vpn---ASA1---172.16.8.0---ASA2---l2l-vpn---fw---10.10.1.0
All the networks have 24 bits netmask. The inside ip for ASA1 is 172.16.8.1 and the inside ip for ASA2 is 172.16.8.254. So on ASA1 i have this route added:
route inside 10.10.1.0 255.255.255.0 172.16.8.254
and vice versa on ASA2:
route inside 192.168.2.0 255.255.255.0 172.16.8.1
So this must be the routing issue on our two ASA. Somehow the encrypted vpn traffic was treated differently and what it is? Please help me.
Thank you
Charlie
11-19-2014 01:42 PM
Hi David,
I'm terribly sorry. It was all my mistake. I configured it wrong on the ASA2!
So basically with your instruction above should make it work and it's working for me now.
I was just looking at this packet-tracer command running on ASA1 and assumed that it doesn't work and didn't check on the ASA2.
ASA1# packet-tracer input inside icmp 192.168.2.11 8 0 10.10.1.11 det Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.10.1.0 255.255.255.0 inside Phase: 3 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xd8694350, priority=3, domain=permit, deny=false hits=37, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd86a8de0, priority=0, domain=permit-ip-option, deny=true hits=163, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd86aaa40, priority=66, domain=inspect-icmp-error, deny=false hits=151, user_data=0xd86aa970, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 6 Type: DEBUG-ICMP Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd8d94b50, priority=12, domain=debug-icmp-trace, deny=false hits=58, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 7 Type: NAT-EXEMPT Subtype: rpf-check Result: ALLOW Config: nat (inside) 0 access-list no-nat-vpn-traffic match ip inside 10.10.1.0 255.255.255.0 inside 192.168.2.0 255.255.255.0 NAT exempt translate_hits = 0, untranslate_hits = 7 Additional Information: Forward Flow based lookup yields rule: in id=0xd5a75a08, priority=6, domain=nat-exempt-reverse, deny=false hits=6, user_data=0xd8d0b178, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.2.0, mask=255.255.255.0, port=0 dst ip=10.10.1.0, mask=255.255.255.0, port=0 Phase: 8 Type: NAT Subtype: Result: DROP Config: nat (inside) 255 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 255 (No matching global) translate_hits = 38, untranslate_hits = 0 Additional Information: Forward Flow based lookup yields rule: in id=0xd5a76580, priority=1, domain=nat, deny=false hits=37, user_data=0xd5a764e0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Thank you very much
Charlie
11-19-2014 04:47 PM
Hello Charlie,
That is great, that it is working now, if something happens let me know, also don't forget to rate and mark as correct the above Post if that helped you.
Regards!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: