Solved: Could not access L2L site via Remote VPN

man3mar3n · ‎02-02-2016

Hi,

I have configured a L2L to 2 different site, A-B, A-C

I also configured a remote VPN to site A.

When I remote access to site A, I could access LAN on site A but not on Site B and C

How do I define NAT exemption for the other sites, B and C?

I attached some of the config.

Boris Uskov · ‎02-03-2016

I'm afraid, packet tracer is not suitable for verification of IPsec tunnels on ASA.

Have you added the command:

same-security-traffic permit intra-interface

?

View solution in original post

Boris Uskov · ‎02-03-2016

Also, be aware. After the configuration changes, you should reconnect the VPN Client on remote PC in order the new configurations take place.

View solution in original post

Boris Uskov · ‎02-02-2016

Hello!

I have looked through the configuration briefly, and I think, you should add the following command:

same-security-traffic permit intra-interface

By default the traffic, which is entering the interface is not allowed to exit through the same interface or through another interface with the same security level. To allow this behaviour, you should use the command "same-security-traffic ..."

In your case, the traffic from remote VPN enters the "outside" interface and, in order to reach other remote site, it has to exit from the same interface "outside".

For more information, see the following links:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html#wp1383263

https://learningnetwork.cisco.com/thread/22344

NAT exceptions are defined correctly from my point of view.

Hope this helps.

man3mar3n · ‎02-03-2016

I did a packet tracer and got this

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-OUT2IN in interface outside
access-list ACL-OUT2IN extended permit ip any any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Boris Uskov · ‎02-03-2016

I'm afraid, packet tracer is not suitable for verification of IPsec tunnels on ASA.

Have you added the command:

same-security-traffic permit intra-interface

?

man3mar3n · ‎02-03-2016

I added the command same-security-traffic permit intra-interface

However, it is still not working.

Boris Uskov · ‎02-03-2016

Ok, try to add the keywords "no-proxy-arp" and "route-lookup" to all your NAT-exception statements.

For example:

nat (inside10,outside) source static OBJ-NET-INSIDE10 OBJ-NET-INSIDE10 destination static OBJ-NET-REMOTE192 OBJ-NET-REMOTE192 no-proxy-arp route-lookup
nat (inside20,outside) source static OBJ-NET-INSIDE20 OBJ-NET-INSIDE20 destination static OBJ-NET-REMOTE192 OBJ-NET-REMOTE192 no-proxy-arp route-lookup
nat (inside30,outside) source static OBJ-NET-INSIDE30 OBJ-NET-INSIDE30 destination static OBJ-NET-REMOTE192 OBJ-NET-REMOTE192 no-proxy-arp route-lookup
nat (inside40,outside) source static OBJ-NET-INSIDE40 OBJ-NET-INSIDE40 destination static OBJ-NET-REMOTE192 OBJ-NET-REMOTE192 no-proxy-arp route-lookup

Also, please, confirm, that the other sites (B and C) are configured correctly to encrypt traffic from local subnet to subnet 192.168.10.0 255.255.255.0.

Boris Uskov · ‎02-03-2016

Also, be aware. After the configuration changes, you should reconnect the VPN Client on remote PC in order the new configurations take place.

man3mar3n · ‎02-05-2016

It is now working. I did not add the command no-proxy-arp route-lookup.

However, I am not sure why it is now working.

I am deleting everything and reconfigure it again ... just need to know what is it that I am missing?