02-16-2015 03:43 AM - edited 03-11-2019 10:30 PM
Hi,
I just replaced a pair of older ASA firewalls running 8.3 with 5515-X running 8.6. One part is not working and I'm not sure if there has been any changes that prevents it or I overlook an detail.
Our vpn clients connecting to our office firewalls can reach our internal networks and internet (no split tunnel, everything is tunneled). They can't however reach any remote L2L networks.
1) I see hitcnt for outside_access_in
2) I don't see NAT hits (masq vpn clients to a specific nat ip when bound for customer X networks)
Basic config
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ipsecvpnpool
subnet 172.16.32.0 255.255.255.0
object network customer-dmz
subnet 10.10.74.0 255.255.255.0
access-list outside_access_in line 1 extended permit ip object ipsecvpnpool object customer-dmz (hitcnt=0) 0xabe3ed7e
access-list outside_access_in line 1 extended permit ip 172.16.32.0 255.255.255.0 10.10.74.0 255.255.255.0 (hitcnt=197) 0xabe3ed7e
access-list outside_access_out line 1 extended permit ip any object customer-dmz (hitcnt=0) 0xa0406a63
access-list outside_access_out line 1 extended permit ip any 10.10.74.0 255.255.255.0 (hitcnt=0) 0xa0406a63
Rule 6 with no hits, clearly not affected by any other rules:
1 (dmz) to (outside) source static ns2 other-nat-1 destination static other_cust_1 other_cust_1
translate_hits = 12, untranslate_hits = 0
2 (outside) to (outside) source static ipsecvpnpool other-nat-2 destination static other_cust_2 other_cust_2
translate_hits = 0, untranslate_hits = 0
3 (outside) to (outside) source static ipsecvpnpool other-nat-3 destination static other_cust_3 other_cust_3
translate_hits = 0, untranslate_hits = 259
4 (outside) to (outside) source dynamic ipsecvpnpool other-nat-4 destination static other_cust_4 other_cust_4
translate_hits = 0, untranslate_hits = 0
5 (outside) to (outside) source static ipsecvpnpool other-nat-5 destination static other_cust_5 other_cust_5
translate_hits = 0, untranslate_hits = 0
6 (outside) to (outside) source dynamic ipsecvpnpool customer-nat-ip destination static customer-dmz customer-dmz
translate_hits = 0, untranslate_hits = 0
A capture on 'ip any object customer-dmz' on interface outside shows nothing, thus its not trying without the NAT. Something has got to be blocking this.
02-16-2015 04:18 AM
I do see "routing failed to locate next hop for outside" using debug logging.
02-23-2015 12:43 PM
Hi there,
I understand that you have below objected defined.
object network ipsecvpnpool
subnet 172.16.32.0 255.255.255.0
object network customer-dmz
subnet 10.10.74.0 255.255.255.0
Tell me, do you have separate tunnel terminates to customer's-DMZ segment?
If I understood you right, you want your remote-vpn-client to access remote customer's-DMZ segment?
Please post yours answers, along with your current configs.
thanks
02-25-2015 07:32 AM
Hi,
Yes I have. I have narrowed the problem down to generic nat rules that inflict albeit coming later in the chain:
Something like this makes it fail:
<snip>
6 (outside) to (outside) source dynamic ipsecvpnpool customer-nat-ip destination static customer-dmz customer-dmz
...
55 (lan) to (outside) source dynamic any any destination static rfc1918 rfc1918
This actually makes ipsecvpnpool haripinning towards external L2L tunnel fail. I simply can't have generic catch all (no)nat rules.
I have hired a consultant to come and explain the issues, I will report back once I know exactly what is happening.
02-18-2015 08:22 AM
Hi there,
You might want to read this thread below, and this will help resolve your issue.
https://supportforums.cisco.com/discussion/12424821/can-not-ping-between-remote-vpn-site
thanks
Rizwan Rafeek
02-23-2015 12:23 AM
Rizwan: That's a negative, it won't resolve my issue as I'm already doing this (see part in bold):
6 (outside) to (outside) source dynamic ipsecvpnpool customer-nat-ip destination static customer-dmz customer-dmz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide