cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


151
Views
0
Helpful
5
Replies
Highlighted
Beginner

ASA 8.6 vpn clients hairpin to remote l2l sida no work?

Hi,

 

I just replaced a pair of older ASA firewalls running 8.3 with 5515-X running 8.6. One part is not working and I'm not sure if there has been any changes that prevents it or I overlook an detail.

Our vpn clients connecting to our office firewalls can reach our internal networks and internet (no split tunnel, everything is tunneled). They can't however reach any remote L2L networks.

 

1) I see hitcnt for outside_access_in

2) I don't see NAT hits (masq vpn clients to a specific nat ip when bound for customer X networks)

 

Basic config

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network ipsecvpnpool
 subnet 172.16.32.0 255.255.255.0

object network customer-dmz
 subnet 10.10.74.0 255.255.255.0

access-list outside_access_in line 1 extended permit ip object ipsecvpnpool object customer-dmz (hitcnt=0) 0xabe3ed7e 
  access-list outside_access_in line 1 extended permit ip 172.16.32.0 255.255.255.0 10.10.74.0 255.255.255.0 (hitcnt=197) 0xabe3ed7e 

access-list outside_access_out line 1 extended permit ip any object customer-dmz (hitcnt=0) 0xa0406a63 
  access-list outside_access_out line 1 extended permit ip any 10.10.74.0 255.255.255.0 (hitcnt=0) 0xa0406a63 

 

Rule 6 with no hits, clearly not affected by any other rules:

1 (dmz) to (outside) source static ns2 other-nat-1   destination static other_cust_1 other_cust_1
    translate_hits = 12, untranslate_hits = 0
2 (outside) to (outside) source static ipsecvpnpool other-nat-2   destination static other_cust_2 other_cust_2
    translate_hits = 0, untranslate_hits = 0
3 (outside) to (outside) source static ipsecvpnpool other-nat-3  destination static other_cust_3 other_cust_3
    translate_hits = 0, untranslate_hits = 259
4 (outside) to (outside) source dynamic ipsecvpnpool other-nat-4   destination static other_cust_4 other_cust_4
    translate_hits = 0, untranslate_hits = 0
5 (outside) to (outside) source static ipsecvpnpool other-nat-5  destination static other_cust_5 other_cust_5
    translate_hits = 0, untranslate_hits = 0
6 (outside) to (outside) source dynamic ipsecvpnpool customer-nat-ip   destination static customer-dmz customer-dmz
    translate_hits = 0, untranslate_hits = 0

 

 

A capture on 'ip any object customer-dmz' on interface outside shows nothing, thus its not trying without the NAT. Something has got to be blocking this.

 

5 REPLIES 5
Beginner

I do see "routing failed to

I do see "routing failed to locate next hop for outside" using debug logging.

Rising star

Hi there,  I understand that

Hi there,

 

 

I understand that you have below objected defined.

object network ipsecvpnpool
 subnet 172.16.32.0 255.255.255.0

object network customer-dmz
 subnet 10.10.74.0 255.255.255.0

 

Tell me, do you have separate tunnel terminates to customer's-DMZ segment?

If I understood you right, you want your remote-vpn-client to access remote customer's-DMZ segment?

 

Please post yours answers, along with your current configs.

 

thanks

 

Beginner

Hi, Yes I have. I have

Hi,

 

Yes I have. I have narrowed the problem down to generic nat rules that inflict albeit coming later in the chain:

Something like this makes it fail:

<snip>

6 (outside) to (outside) source dynamic ipsecvpnpool customer-nat-ip   destination static customer-dmz customer-dmz

...

55 (lan) to (outside) source dynamic any any destination static rfc1918 rfc1918

 

This actually makes ipsecvpnpool haripinning towards external L2L tunnel fail. I simply can't have generic catch all (no)nat rules.

 

I have hired a consultant to come and explain the issues, I will report back once I know exactly what is happening.

Rising star

Hi there, You might want to

Hi there,

 

You might want to read this thread below, and this will help resolve your issue.

https://supportforums.cisco.com/discussion/12424821/can-not-ping-between-remote-vpn-site

 

thanks

Rizwan Rafeek

Beginner

Rizwan: That's a negative, it

Rizwan: That's a negative, it won't resolve my issue as I'm already doing this (see part in bold):

 

 

6 (outside) to (outside) source dynamic ipsecvpnpool customer-nat-ip   destination static customer-dmz customer-dmz