ASA Hairpinning NAT issue

Shaizeagle · ‎11-22-2019

Hi All,

we have a site-site connection with azure with BGP enabled. I am trying to force tunnel all the traffic from azure to our ASA. However even though the site-site vpn is working fine. I am not able to make this work however I know its a routing issue. Following is the relevant configuration. Please take a look and help me out if you could. Let know if you require full config. Many thanks in advance.

interface GigabitEthernet0/0
nameif OUTSIDE_HOST_IRELAND
security-level 0
ip address x.x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
nameif OUTSIDE_VODAFONE
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/2
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
description STATE Failover Interface
!
interface GigabitEthernet0/5
description LAN Failover Interface
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel1
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel1.10
vlan 10
nameif INSIDE10
security-level 100
ip address 10.10.10.254 255.255.255.0
policy-route route-map ROUTE_MAP_VIA_HOST_IRELAND
!
interface Tunnel1
nameif AZ-TUNNEL
ip address 192.168.99.1 255.255.255.252
tunnel source interface OUTSIDE_VODAFONE
tunnel destination x.x.x.x x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile LAN_LAN_TSET_AZ_PROFILE
!
interface Tunnel2
nameif AZ-TUNNEL2
ip address 192.168.30.1 255.255.255.252
tunnel source interface OUTSIDE_HOST_IRELAND
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile LAN_LAN_TSET_AZ_PROFILE

object network AZ_Cluid_SubNet1
subnet 172.16.0.0 255.255.255.0

object network NET_200
subnet 192.168.200.0 255.255.255.0

object network NET_200
nat (INSIDE10,OUTSIDE_VODAFONE) dynamic interface

access-list NORTHBANK_AZ extended permit ip any object AZ_Cluid_SubNet1

nat (INSIDE10,OUTSIDE_VODAFONE) source static any any destination static AZ_Cluid_SubNet1 AZ_Cluid_SubNet1 no-proxy-arp route-lookup

nat (OUTSIDE_VODAFONE,OUTSIDE_VODAFONE) source static AZ_Cluid_SubNet1 AZ_Cluid_SubNet1 destination static AZ_Cluid_SubNet1 AZ_Cluid_SubNet1 no-proxy-arp route-lookup

nat (OUTSIDE_VODAFONE,OUTSIDE_VODAFONE) after-auto source dynamic AZ_Cluid_SubNet1 interface

some debugs:

ICMP echo request, locate untranslate 172.16.0.10/1 to AZ-TUNNEL:104.18.163.29/0
pinhole-peek : proto-1 AZ-TUNNEL:172.16.0.10/1 -> 104.18.163.29/0

ICMP echo request from AZ-TUNNEL:172.16.0.10 to OUTSIDE_VODAFONE:104.18.163.29 ID=1 seq=3798 len=32

ASA-NORTHBANK# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is x.x.x.x.x to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, OUTSIDE_VODAFONE
C 10.10.10.0 255.255.255.0 is directly connected, INSIDE10
L 10.10.10.254 255.255.255.255 is directly connected, INSIDE10
C 10.16.1.0 255.255.255.0 is directly connected, FAIL
L 10.16.1.1 255.255.255.255 is directly connected, FAIL
C 10.16.2.0 255.255.255.0 is directly connected, STATE
L 10.16.2.1 255.255.255.255 is directly connected, STATE
B 10.100.100.0 255.255.254.0 [20/0] via 172.16.254.254, 11:19:31
C x.x.x.x 255.255.255.252
is directly connected, OUTSIDE_VODAFONE
L x.x.x.x 255.255.255.255
is directly connected, OUTSIDE_VODAFONE
C x.x.x.x. 255.255.255.248
is directly connected, OUTSIDE_HOST_IRELAND
L x.x.x.x 255.255.255.255
is directly connected, OUTSIDE_HOST_IRELAND
B 172.16.0.0 255.255.0.0 [20/0] via 172.16.254.254, 11:19:37
S 172.16.254.254 255.255.255.255 [1/0] via 192.168.99.2, AZ-TUNNEL
C 192.168.99.0 255.255.255.252 is directly connected, AZ-TUNNEL
L 192.168.99.1 255.255.255.255 is directly connected, AZ-TUNNEL
V 192.168.100.105 255.255.255.255 connected by VPN, OUTSIDE_VODAFONE
V 192.168.100.106 255.255.255.255 connected by VPN, OUTSIDE_VODAFONE
V 192.168.100.107 255.255.255.255 connected by VPN, OUTSIDE_VODAFONE
V 192.168.100.108 255.255.255.255 connected by VPN, OUTSIDE_VODAFONE
V 192.168.100.109 255.255.255.255 connected by VPN, OUTSIDE_VODAFONE
V 192.168.100.110 255.255.255.255 connected by VPN, OUTSIDE_VODAFONE
S 192.168.200.0 255.255.255.0 [1/0] via 10.10.10.1, INSIDE10
S 192.168.201.0 255.255.255.0 [1/0] via 10.10.10.1, INSIDE10
S 192.168.202.0 255.255.255.0 [1/0] via 10.10.10.1, INSIDE10
S 192.168.203.0 255.255.255.0 [1/0] via 10.10.10.1, INSIDE10
S 192.168.205.0 255.255.255.0 [1/0] via 10.10.10.1, INSIDE10
S 192.168.206.0 255.255.255.0 [1/0] via 10.10.10.1, INSIDE10

BGP table version is 10, local router ID is 192.168.99.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.100.100.0/23 172.16.254.254 0 55500 i
*> 172.16.0.0 172.16.254.254 0 55500 i
*> 192.168.200.0 10.10.10.1 0 32768 i
*> 192.168.201.0 10.10.10.1 0 32768 i
*> 192.168.206.0 10.10.10.1 0 32768 i